A federal judge has rejected BancorpSouth's plan to use contractual agreements with customers as a shield against liability claims stemming from an online heist of some $440,000 that was illegally wire-transferred from the account of one of the bank's commercial customers in March 2010.
The customer, Choice Escrow and Title LLC in Springfield, Mo., filed a lawsuit Tupelo, Miss,-based BancorpSouth in November 2010 alleging that the bank failed to implement commercially reasonable security measures as defined in the Funds Transfer Act provisions of the Uniform Commercial Code (UCC).
BancorpSouth countersued earlier this year arguing that Choice Escrow was solely responsible for the breach because it allowed hackers to gain access to legitimate login credentials.
The bank contended that Choice Escrow signed a contract that included an agreement not to hold BancorpSuth responsible for losses stemming from the a failure to use the online services in a secure manner.
In its lawsuit, BankcorpSouth said Choice Escrow should be held liable for legal costs and other expenses for breaching the terms of the contract by filing claims against the bank.
In a four-page ruling last week, Judge John Maughmer of the U.S. District Court for the Western District of Missouri rejected the bank's claims, ruling that Funds Transfer Act provisions preempted any other agreement between Choice Escrow and Bancorp South.
The judge did note that both sides in the dispute had made convincing arguments to support their case. "The Court having read the briefing of the parties finds this to be a very close call," Maughmer said.
"On one hand, it seems obvious that the drafters of the UCC wanted banking sector parties to be protected from common law negligence claims and to encourage uniformity and consistency," Maughmer said. "On the other hand, it seems unlikely that the drafters of the UCC wanted to discourage business entities from freely exercising their rights to contract the terms of their relationships."
To accept BancorpSouth's arguments would effectively mean that Choice would have to pay back to the bank what the bank would otherwise owe to Choice under the Funds Transfer Act, the judge wrote. "Such a result seems at odds with the purpose of the Act."
The ruling means that the case between BancorpSouth and Choice Escrow could soon head to trial.
In an email to Computerworld, Jim Payne, director of business development at Choice Escrow, expressed satisfaction over the ruling.
"We are ready to get this nightmare over and maybe we are now a little closer," Payne said.
BancorpSouth officials could not be reached for comment.
The case is one of several asking courts to decide who is responsible for online account takeovers where attackers use legitimate access credentials to initiate illegal wire transfers from commercial accounts.
Hundreds of small businesses have had their accounts drained in such attacks in recent years.
Many victims have blamed banks for not taking adequate measures to detect and stop such illegal transfers.
Choice Escrow, for instance, said that BancorpSouth should have known the wire transfer request was fraudulent because it was the first time it had asked to transfer funds outside of the U.S.
Many of the banks, meanwhile, contend they are not responsible for attacks caused by a customer's failure to control access to their account.
BancorpSouth said Choice Escrow's account was raided only because the company allowed someone to gain access to a legitimate username and password. It also contended that Choice Escrow was aware that BancorpSouth offered stronger protection against illegal wire transfers, but chose not to use them.
In recent months, courts have shown a tendency to side with customers on the issue.
In July, a federal appeals court ruled against Ocean Bank in a dispute involving Patco Construction Company of Maine, which lost $345,000 in fraudulent wire transfers.
In its decision the appeals court ruled that Ocean Bank had not implemented commercially reasonable measures. The court added that further hearings would be needed to determine what Patco could have done to prevent the theft.
Last June, a Michigan court found Comerica Bank liable for a $560,000 theft from the account of Experi-Metal, a maker of auto parts based in Sterling Heights, MI.
In its ruling the court found that the bank should have done a better job of detecting and stopping the theft.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.