Sen. Charles Schumer (D-N.Y.) has introduced a bill that would protect municipalities and school districts against financial losses resulting from certain types of cybertheft.
Under the proposed bill, cities, towns and school districts would not be held liable for losses tied to online account takeovers and fraudulent electronic funds transfers initiated by cyberthieves, as long as the theft is reported in a timely manner.
It is the same sort of protection that consumers have under the Electronic Fund Transfer Act, which caps consumer liability for an unauthorized EFT at $50. Schumer's bill (S. 3898) would modify portions of the EFTA to offer the same protection to schools and municipalities.
The bill was introduced Sept. 29 and was first reported by blogger Brian Krebs. The bill appears to be a response to a string of online attacks that have resulted in the draining of millions of dollars from the bank accounts of a growing number of cities, towns and school districts over the past two years.
Earlier this year, cyberthieves broke into the bank account of the town of Poughkeepsie, N.Y., and electronically transferred $378,000 to multiple accounts in Ukraine. In another incident, cybercrooks stole $450,000 from the city of Carson, Calif. , in a similar manner.
Krebs, who has been chronicling such attacks for some time, lists similar thefts from schools and cities. Examples include the theft of close to $500,000 from the Duanesburg Central School District in New York, and $600,000 from Brigatine, N.J.
In almost all of the incidents, the perpetrators behind the attacks first stole the legitimate banking credentials from their victims, typically by using the Zeus banking Trojan program. The stolen usernames and passwords were then used to access online bank accounts and to initiate unauthorized money transfers.
The thefts have strained relations between banks and their business clients. Banks argue that they cannot be held liable for the thefts because in each case, the transfers were initiated using valid credentials and should have been better protected by their customers. Breached entities, meanwhile, accuse the banks of failing to do enough to identify and block fraudulent ETFs.
Schumer's bill would offer a measure of protection for municipal governments and school districts by making banks primarily liable for losses stemming from corporate account takeovers and ETF fraud. However, it does nothing to alleviate the concerns of small and medium-size businesses, scores of which have also been victimized by cyberthieves. Such entities may have to continue to bear losses from such thefts themselves unless they can show the bank was at fault.
News of the bill comes just days after federal authorities announced a string of arrests related to Automated Clearing House thefts.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.