An industrial maintenance and construction firm in Tennessee is suing its bank to recover $327,000 in stolen funds, according to a Krebs On Security report. If the lawsuit proceeds to trial, it could be easier and cheaper for cyber attack victims to recover losses.
According to Krebs On Security: “In May, 2012, Kingsport, Tenn.-based Tennessee Electric Company Inc. (now TEC Industrial) was the target of a corporate account takeover that saw cyber thieves use a network of more than four dozen money mules to siphon $327,804 out of the company’s accounts at TriSummit Bank.”
While the bank was able to recover roughly $135,000 of those unauthorized transfers, Tennessee Electric was on the hook for the rest. This month, the company sued TriSummit in state court, alleging negligence, breach of contract, gross negligence and fraudulent concealment.
Tennessee Electric alleges that the bank only called to seek approval for the fraudulent payroll draft a day after having approved it, and after security blogger Brian Krebs (of Krebs On Security) alerted them to the heist.
According to Krebs’ report on his blog: “This lawsuit, if it heads to trial, could help set a more certain and even standard for figuring out who’s at fault when businesses are hit by cyberheists (for better or worse, most such legal challenges are overwhelmingly weighted toward banks and quietly settled for a fraction of the loss).”
While consumers who bank online are protected by Regulation E’s limits on liability for customers losing money through unauthorized account activity, businesses do not have the same protections. The Uniform Commercial Code (UCC) holds that a payment order received by a bank is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedures and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the name of the customer.”
States across the U.S. have adopted this code, and interpretations mean that the most a business can hope to recover is the amount stolen in a cyber attack – often making it unfeasible to sue the bank and incur litigation fees, the report says.