An unusual legal dispute between a Texas bank and a business customer over the online theft of more than $800,000 from the latter's account at the bank has been quietly settled.
Lubbock, Texas-based PlainsCapital Bank earlier this year sued Hillary Machinery Inc. after cybercrooks broke into Hillary's PlainsCapital accounts and wire-transferred about $801,000 to various bank in Europe.
About $600,000 of that amount was later recovered by the bank. In a letter to the bank, Plano, Texas-based Hillary demanded that PlainsCapital repay it the rest of the stolen money. In a letter to the bank in December, the distributor of machine tools contended that the theft occurred because PlainsCapital failed to implement adequate security measures.
PlainsCapital promptly sued the company, arguing that its security procedures were "commercially reasonable" and that it that it had made every effort to recover the stolen money.
Hillary filed a countersuit against the bank for not doing enough to protect customer accounts.
The two sides agreed late last week to settle the case, just days after a federal court in Texas rejected motions by PlainsCapital to compel arbitration of the dispute. Troy Owen, Hillary's vice president of sales and marketing, confirmed the agreement but refused to disclose details, citing confidentiality agreements. John Floeter, a spokesman for PlainsCapital, also confirmed the settlement and declined to comment further.
The settlement brings to an end a case that had attracted considerable attention. PlainsCapital's lawsuit against Hillary was believed to be the first time that a bank preemptively sued a customer that had been victimized by a cybertheft.
In the lawsuit, filed in U.S. District Court for the Eastern District of Texas, PlainsCapital argued that it had made every effort to recover the stolen money and claimed that the unauthorized wire transfer orders had been placed by someone using valid Internet banking credentials belonging to Hillary Machinery. The bank claimed that it had accepted the wire transfer requests in good faith.
PlainsCapital's lawsuit named Hillary as the defendant, but did not accuse the company of any wrongdoing. Instead, it asked the court to certify that reasonable computer security measures were in place when the breach occurred.
In its countersuit, Hillary charged that the bank failed to take adequate measures to protect its account. Hillary contended that the authentication measures used by PlainsCapital for wire transfer transactions were inadequate, outdated and not "commercially reasonable." The company argued that PlainsCaptial should have spotted the illegal money transfers, which occurred over a two- to three-day period and were well outside the norm for transfers initiated by Hillary Machinery.
The distributor, noting that it isn't the responsibility of customers to secure the bank's Internet banking system, asked that PlainsCapital be ordered to reimburse it for the loss.
While the spcifics of the case are quite unusual, the now-settled dispute is only one of many between banks and customers in connection with the looting of accounts by hackers using stolen login credentials.
For example, Experi-Metal Inc. a Michigan-based manufacturer sued Comerica Bank earlier this year after cybercrooks stole $560,000 from its online banking account. In Illinois, a federal judge last fall allowed a couple to file a negligence lawsuit against Citizens Financial Bank after cyberthieves drained $26,000 from their account.
Such disputes are raising fundamental questions about due diligence issues and on whether and how much customers should be held responsible for protecting their online accounts from cyber thieves.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .
Read more about security in Computerworld's Security Topic Center.