Can your business afford to lose all its money in the bank?
Posted on 02/24/2014 at 12:55 PM by John Lande
Employers of all sizes should already know that they are vulnerable to cyber theft. What they may not appreciate is the full scope of the threat and the potential liability they face if they are ever a victim of theft over the internet. Your company's important financial and confidential information is a lot less secure than you think. Consider that in January 2014 Yahoo.com users in Europe were infected with malicious software (malware) that, among other things, allowed hackers to access information from Yahoo users. The Yahoo attack was insidious because all users had to do to have the malware installed on their computer was visit the main Yahoo website.
Once they loaded the site, a malicious advertisement secretly installed malware that allows hackers to gain access to users' computers. Users did not have to click any links or open any files to have the malware installed. Once the malware is installed, hackers have a wide variety of ways they can intercept a business's banking and financial information. For example, some malware allows hackers to modify payment requests sent from an employer's computer to a financial institution. An employer may think that it has entered the account number for a supplier or the appropriate payroll accounts, but after the request is sent hackers can modify the account numbers and route money to alternate accounts. This is often referred to as corporate account takeover ("CATO"). Corporate funds are particularly vulnerable to loss. Unlike consumer funds, financial institutions may not be required to reimburse a corporate customer's account in the event hackers are able to electronically access and steal money held by the company in an account. Most employers are probably familiar with protections afforded by Regulation E, even if they don't know it. Regulation E is the federal law that requires financial institutions to reimburse customer accounts when a customer is a victim of credit or debit card fraud. Assuming the customer complies with certain notice requirements, a customer's maximum liability will usually not exceed $50. Corporate accounts are different. They are governed not by federal law, but by the Uniform Commercial Code ("UCC").
Unlike Regulation E, the UCC requires financial institutions and businesses to share responsibility for security of corporate funds. The UCC initially imposes liability on financial institutions for corporate account losses arising from fraud. However, if the financial institution and corporate customer agree on a commercially reasonable security procedure then a financial institution can shift the risk of loss to the corporate customer. It is then the responsibility of the corporate customer to make sure that fraudsters don't gain access to their accounts and transfer funds out of corporate accounts. The losses suffered by corporate customers can be significant. In a 2013 decision in Missouri, a company was held responsible for a $400,000 loss. The company failed to utilize security procedures offered by its bank, and instead decided to trust its own security procedures and employees. Employers need to take seriously the necessity of securing their systems from malicious software. Unlike in the consumer context, employers cannot depend on their financial institutions to automatically make them whole. That's why employee training, and up to date security systems are absolutely critical to an employer's ongoing business. Financial institutions may also want to consider working with corporate clients to bolster their security protocols. Regardless of where liability ultimately rests, avoiding fraud losses altogether makes business sense for both employers and financial institutions.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande
Categories: John Lande, Employment & Labor Law, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.