Who decides whether a business is responsible for your data, or if you yourself are? Now it may be a judge and jury.
According to a report in The Register, Joe Lopez, a small businessman from Florida, alleges that Bank of America was negligent because it failed to protect his account from compromise through known risks. He regularly used the bank's online services to send and receive money from the U.S. and Latin America, but last April he discovered an unauthorized wire transfer for $90,348 sent to a bank in Latvia. When he became aware of the fraud, he notified the police, and when the Secret Service performed a forensic examination of his PCs, they uncovered an infection by a Trojan called Coreflood.
According to the accounts, Lopez's legal case is that Bank of America did not inform its customers of the risk posed by Coreflood, even though they knew it posed a risk. He goes on to allege several other charges, including negligence and intentional misrepresentation. He is bringing the lawsuit to reclaim his stolen money, plus lost interest.
In the same report, Bank of America denied a breach of its e-banking system, and denies responsibility for its customer's losses.
What makes this particular case stand out more than any other? This appears to be the first time cybercrime is the basis of such a lawsuit. As tensions build in the political arena concerning information security, privacy of data and a company's responsibility to secure its customers' data, this case has the ability to define the lines of responsibility. When a customer has a direct loss because his information was used for fraud, is the customer responsible for the theft, or is the bank responsible for accepting fraudulent ID, in the same way they would for cashing a check with a fake driver's license?
Bank of America released funds for a wire transfer from its e-banking system, and that wire was not authorized by its customer. On the surface, it would appear that Bank of America is the responsible party; however, I believe that either party could be found guilty, and that the verdict will depend on the technical competence of the judge and jury. In my opinion, the more technically savvy they are, the less likely it is that Lopez will win his case.
Lopez's case is based on Bank of America's failure to inform its customers of the dangers involved with Coreflood, a Trojan designed primarily for denial-of-service attacks, which functions by listening to a predetermined IRC channel for commands. This "open ear" allows a backdoor into an infected system. My hypothesis is that a hacker used that opening to install a keystroke logger, and then hit the jackpot when Lopez accessed his bank account online.
Lopez's assertions that Bank of America was responsible to notify him of the dangers of Coreflood are simply ludicrous. As a business owner, Lopez is responsible for the operations of his IS structure, including the ongoing maintenance of antivirus software for the protection of his systems and logical assets. Part of that responsibility is keeping antivirus definitions up to date, and regularly scanning the systems for malicious code.
I have to conclude that Lopez had not maintained his systems in a commercially reasonable manner, because even had he been running 6-month-old virus definitions at the time of the breach, the virus would have been detected. Symantec (Norton Anti-Virus) has had a scanning definition for this virus since December 2002. McAfee has had a scanning definition since May 2003. Sophos (in its products in December that year) and Kaspersky Labs have had scanning definitions since October 2003. Even if Lopez had been running Sophos, the company that was last to come on board with a Coreflood virus description, his virus definitions would have had to be more than 6 months old.
Is Bank of America responsible for the illegitimate wire that was sent from Lopez's account? They say that their e-banking system was not compromised. What their assertion tells me is that no hacker has accessed their system and stolen any user names and passwords from them. Also, on Bank of America's Web site, they instruct their clients to protect their user IDs and passwords. Though I have not reviewed their online banking agreements, I have no doubt that they instruct their customers to maintain this information as secret.
If Lopez did not maintain his servers in a reasonably acceptable way, such as regularly maintaining his AV program, then I believe he did not perform his reasonably expected duty to protect his user name and password from exposure.
So who will the law say is responsible? That depends on the technical savvy of the public. Opinion is always swayed against a bank, where an abundance of cash and history of security is paramount, and the public sees the little guy being held down when his needs aren't met. Nevertheless, if the judge and jury understand that a business is responsible to maintain its systems, and that it was not Bank of America's system that was breached, but that of Lopez, I see no reason to grant Lopez an award, aside from the return of any money Bank of America is able to recover on his behalf.
About the author
Donald Smith is the IT audit manager for The Mechanics Bank of Richmond, Calif. Smith's opinions are his own, and not those of The Mechanics Bank.