Identity theft and data security continues to be a murky topic at best. On one side, there are federal laws such as FACTA, HIPAA, Red Flags etc. that lay out requirements for companies to follow to protect your finances, medical record, and so forth. On the other side are the courts, which continue to wrestle with the interpretation of those laws when a company is found to be in violation. Keep in mind that fines and penalties for a FACTA violation can be imposed by the Federal Trade Commission even though a court may find that the company is not liable for losses. It’s all part of the strange legal world, where things may not be just or fair, and still comply with “The Law”.
For example, we can look at a couple of cases that have hit the news this year - Experi-Metal v. Comerica and Patco Construction v. Ocean Bank.* These two cases are very similar, and showcase what is happening in the legal arena.
Experi-Metal Wins Against Comerica
Experi-Metal is a specialized metals manufacturer. In January of 2009 Experi-Metal responded to an e-mail from Comerica, which turned out to be a phishing e-mail. The scammers wasted no time and initiated 97 wire transfers totaling over $1.9 million. Apparently, after several of these transfers, Experi-Metal found out what was going on and instructed the bank to not honor further wire requests. A Michigan Court found that Comerica did not act in “good faith” when handling these transfers, and ordered the bank to pay back over a half million dollars. A quick review of 26 "Red Flags" banks should look for, according to Bank Info Security, shows at least two places the bank does not appear to be in compliance. The most obvious is the fact that for two years prior Experi-Metal had only executed two other wires. The fact that they “ordered” 97 should have raised concerns for somebody at the bank. This kind of activity would send an alarm through your credit card company, and somebody would be calling you to ask you why the sudden change.
Financial institutions have been fighting Red Flags and scrambling for exemptions since the rules were first enacted. Banks and credit unions do not appear so concerned with what happens to your money as they would like you to believe, and seem to resent being told that they have to. Naturally, Comerica is appealing the judgment, so Experi-Metal is still out the cash, and may not see it for several years, if ever.
Patco Loses to Ocean Bank
Patco experienced a similar violation, however it was not a phishing attack that compromised their ID and password, it was a Trojan that made its way into their network. In this particular case, the court ruled in favor of Ocean Bank, who claimed that Patco failed to protect their credentials appropriately. It was also mentioned in the judge’s opinion that Patco continued to use computers that were compromised even after they determined that something hinkie was going on.
The difference here is slight, and may have a lot to do with the fact that the cases were in different states. Coupled with the fact that there is still no clear definition of what level of fraudulent activity a bank should be obvious to banks, there is still a lot of “wiggle room” for attorneys to find technicalities and loopholes for their clients – and when a client has the cash behind it that most banks do, they tend to have very clever attorneys.
Of course, Red Flags focuses on personal accounts, and may or may not have any relevance to commercial accounts such as these. And as mentioned before, Red Flags seems to be targeted toward new account fraud, although some of the language in a Bank Info Security article leans toward existing accounts.
The smart consumer will pay attention to these laws and court rulings. What is being applied to businesses today may very well become the benchmark for dealing with individuals in the future, especially when those court rulings benefit the entrenched financial establishment. In the mean time, consumers have the safety of the Electronic Funds Transfer Act (EFTA) to help them recover money stolen by an identity thief. But your Guide suspects that this, too, is due to change soon.
*Although your Guide is an expert on identity theft and is versed in various legal documents related to data security and identity theft, he is not an attorney. Comments in this article are not to be taken as legal advice.