UPDATES and supplemental material TO Chapter 7
Defining “Reasonable” Cybersecurity: Overview
UPDATES TO THE SECOND EDITION
FN 2: UCC 4A
Niram Inc. v. Sterling National Bank, no. 1:21-cv-015966 (S.D.N.Y. Sept. 29, 2023) – focusing on the meaning of “authorized” and applying the law of agency, held that bank was not required to reimburse fraudulent transfer, because plaintiff’s, employees, acting within their authority, “authorized” the transfers, notwithstanding that those employees were misled by an external fraudster, and holding that 4-A preempts gross negligence and contract claims.
__________________________________________________________________
SUPPLEMENTAL MATERIAL TO SECOND EDITION
More about litigation under state enactments of Article 4A of the UCC, which allocates risk for fraudulent transfers. Article 4A starts with the proposition that a bank must refund any payment of a payment order received from a customer if the order was not authorized and effective. However, § 4A-202 says that if a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized (that is, even if, it is fraudulent), if the security procedure is a “commercially reasonable” method of providing security against unauthorized payment orders. § 4A-202 goes on to say that commercial reasonableness of a security procedure is a question of law to be determined by considering a number of factors, including the wishes of the customer expressed to the bank. Moreover, under § 4A-202(c), a security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer. But even if the procedure followed is commercially reasonable, the bank must prove that it accepted the payment order in good faith. And the customer can shift liability back to the bank if it can meet the requirements of Section 4A-203(a)(2), which essentially says that the bank is liable if the fraudulent transaction stemmed from a breach at the bank.
As a result of this complex shifting of risk and allocations of burdens of proof, the cases interpreting “commercially reasonable” are highly fact dependent, often turning on an in-depth analysis of the agreement between the bank and its customer, on the history of any discussions between bank and customer in setting up the account and what security measures were offered and refused, and on the “good faith” of the bank in processing the order. And while § 4A-202 refers to the security procedure in the singular, there is often a set of procedures involved. Consequently, there is no one-size-fits-all judicial rule on what is reasonable or not. Recent cases include:
Harborview Capital Partners LLC v. Cross River Bank Inc., 2:21-cv-15146 (D. N.J. April 26, 2022). If an employee of the bank customer falls prey to a hacker's ruse (in this case, an employee designated to authorize transfers followed instructions in email from the hacked account of the CEO) and authorizes the transfer, the question of what is commercially reasonable never arises: the transfer was authorized. "The customer who, sadly, has been the victim of a third-party fraud cannot shift the loss to a bank that faithfully executed the customer’s instructions to implement a transfer." See also Tracy v. PNC Bank, 2:20-cv-01960 (W.D. Pa. June 23, 2022) (bank customer was tricked into authorizing a transfer, but it was “authorized;” however, a claim that the bank breached its duty of good faith and fair dealing and a claim of promissory estoppel survived).
Choice Escrow and Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014). The Eighth Circuit found the bank’s security procedures were commercially reasonable, noting that they complied with guidance issued by the Federal Financial Institutions Examination Council. However, the Eighth Circuit also relied on the fact that the customer had been offered and refused to require that wire requests be approved by two of its employees.
Patco Const. Co., Inc. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012). Summary judgment in favor of the bank reversed. Factual issues remained, but the appeals court was not impressed with the bank’s security measures.
Experi-Metal, Inc. v. Comerica Bank, No. 09-14890, 2011 U.S. Dist. LEXIS 62677, 2011 WL 2433383 (E.D. Mich. June 13, 2011). Nothing in the agreement between bank and customer saved a bank that failed to block 93 fraudulent wires over a course of hours totaling $1.9 million. An employee of the customer had fallen victim to a phishing email and provided his log-in credentials to a hacker, but the bank was liable because it failed to respond to the volume and frequency of the wire transfers, especially given the limited previous wire activity of the customer, the destinations of the funds being in Russia, and other factors.
See C. David Hailey, What Is a Commercially Reasonable Security Procedure under Article 4a of the Uniform Commercial Code? (2014).
In determining what is commercially reasonable, the reliance of courts on the guidance of the FFIEC, at least as a starting point, stands out. Complicating matters: the FFIEC has gradually ratcheted up its guidance, most recently in 2021, which means that earlier cases finding commercially reasonable a practice that was consistent with the FFIEC guidelines in place at the time may no longer be good precedent today. See Chapter 9.2.10.3.1 for a description of the 2021 guidance, which supersedes earlier versions.
_____________________________________________________
ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION:
7.2 Regulatory Standards (Binding)
In 2021, the Federal Trade Commission has been inching towards the adoption of privacy regulations, which may or may not speak to the obligation of personal data custodians to protect that data. See updates to Chapter 10 adding a new Chapter 10.4.10.
7.4.1 The Legal Significance of Guidance
Attorney General Merrick Garland brought the matter full circle in July 2021, rescinding the Brand memo and a related, earlier memo of Attorney General Jeff Sessions. In a new memorandum on the issuance and use of guidance documents by the Department of Justice. Attorney General Garland reiterated that guidance documents do not bind the public (except where binding by operation of a grant award or contract) or have the force and effect of law and that an agency guidance document by itself can never form the basis for an enforcement action. However, according to the new policy, “Department attorneys handling an enforcement action (or any other litigation) may rely on relevant guidance documents in any appropriate and lawful circumstances, including when a guidance document may be entitled to deference or otherwise carry persuasive weight with respect to the meaning of the applicable legal requirements.” The Attorney General directed the Department to revise the Justice Manual accordingly (aiming at JM 1-19.000 and JM 1-20.100 to 1-20.205). At the same time as the Garland memo, the DOJ published an interim final rule, effective July 16, 2021, revoking 28 C.F.R. §§ 50.26 and 50.27, amendments to its regulations that were made during 2020 pursuant to Executive Order 13891, which had imposed limitations on the issuance and use of guidance documents.
Last updated: June 27, 2022
Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.