First Circuit finds someone to sue over cybersecurity

The sound you hear is legal ground shifting under the banks’ feet.

Keylogging software now infects many small businesses.  Hackers use it to steal banking credentials and make wire transfers.  Keeping the hackers out is very difficult, at least for small businesses. The most promising way to defeat such fraud is for banks to deploy back-end systems that evaluate each transaction to identify unusual transfers.

We’re all familiar with that solution.  Back-end systems prompt your bank to call you whenever your credit card has an unusual charge. Banks do that because they’re liable for consumer credit card charges. For small businesses, though, the shoe is on the other foot.  

Under the UCC, a bank can impose liability for cybersecurity failures on its commercial customers as long as the bank uses a “commercially reasonable” method to authenticate its customers. So banks have less incentive to monitor small-business transfers aggressively. All they need to do is follow a standard contractual security protocol — unless the courts decide that the protocol is no longer commercially reasonable.

That’s exactly what’s starting to happen, as the trickle of keylogger fraud turns into a flood.  The most recent decision, the Patco case from the First Circuit, overturns a recent lower court ruling against bank liability. After this decision, banks cannot feel comfortable relying on their contracts to protect them.  Instead, facing a newly fluid and unpredictable liability environment, banks (and courts) will be struggling to find a reasonable way to use back-end systems to monitor wire-transfer hacking fraud.

On the whole, that’s a good thing.  Small businesses can’t keep hackers out reliably, so they need help from the banks, which have greater visibility into fraud patterns.

But I can’t help pointing out that the decision, which at first glance seems to be Sticking it to the Man, is in fact going to result in much more intrusive monitoring of money transfers by banks. In short, it means less privacy.

Maybe you’re thinking that banking privacy has been dead for years, so this is no big deal.  But the lesson can be generalized.  Banking is not the only online activity where good security requires centralized authorities to engage in more aggressive and detailed behavioral monitoring of network transactions. Corporate security has also shifted to internal monitoring in the hope that spotting anomalous behavior will identify compromised machines. It’s the only technique that seems to offer much hope.

But what happens when those compromised computers go out on the Internet?  Who’s watching for signs of compromise there? Right now, nobody.  That makes privacy advocates very happy. But it seems to me that there’s a growing gulf between what makes the privacy advocates happy and what makes users of the net safe.

UPDATE: Typos fixed; thanks, Tatil_S