A precedent-setting case in the world of electronic banking points to a better method for securing the nation's critical infrastructure from cyberattack, according to a former Department of Homeland Security (DHS) official.
Paul Rosenzweig, former assistant secretary for policy at DHS and founder of Red Branch Law & Consulting, said the recent settlement in Patco Construction v. People's United Bank shows how civil litigation can force banks to improve their online security practices. And if that can happen in the financial industry, it can also happen with a critical infrastructure operator, he said, and be more effective than federal cybersecurity legislation or regulation.
"In the long run, a civil tort/contract liability system will develop that will work more effectively and flexibly -- imposing costs on those who stint their cybersecurity efforts in an unreasonable manner," Rosenzweig wrote in a recent post on Lawfare.
In the Patco case, the company, a small property development and contractor in Sanford, Maine, sued People's United for authorizing six fraudulent withdrawals from its account in May 2009, totaling $588,851, even after the bank's security system had flagged each transaction as high-risk.
The fraudulent transactions -- six over seven days -- came from a computer that had never been used before by Patco, from an IP address not recognized as from Patco, and were for amounts greater by several magnitudes than any Patco had made to third parties before. The money was going to people Patco had never before paid. The bank was able to block or recover $243,406 of that total.
The First Circuit U.S. Court of Appeals ruling on July 3 was the first time a federal court found that a bank's electronic transaction security procedures failed to meet the standard required under the Uniform Commercial Code (UCC) as "commercially reasonable," putting the bank on the hook for losses due to fraud.
The court did not order the bank to pay damages. Instead, it remanded the case back to the district court level, but with the strong suggestion that the parties "resolve this matter by agreement."
That resolution came late last month, with the bank agreeing to pay Patco all the money it lost to the hackers, plus about $45,000 in interest. Even though it was a settlement and not a judgment, Rosenzweig told CSO Online that it "sets a pretty good precedent because it established a broad principle about what is commercially reasonable."
[See related: Heist once again highlights e-banking vulnerabilities]
"The important thing in all litigation is something you can hang your hat on," he said.
"The right way to develop cybersecurity performance standards [is] through a close, fact-bound and developmental process," he wrote earlier.
Not everyone is convinced of that. Stewart Baker, Rosenzweig's former boss when he was first assistant secretary for policy at DHS, and now of the law firm Steptoe & Johnson, said: "Civil litigation must be the slowest form of lawmaking known to man, apart from treaty negotiation," he said.
Baker added that legislation did set standards for online banking security, "and allows the courts to decide what's commercially reasonable."
"I see the appeal of a standard that grows with the threat and doesn't set prescriptive, granular requirements that can easily become outdated," he said. "But there are problems with that approach as well. By the time even judges see the unreasonableness of a practice, a lot of damage has been done."
Rosenzweig agrees with that point, but said it does not undermine his point. "The same thing [delay] is true of regulations or legislation," he said. "Of course bad things can happen while you're waiting for something to get done."
Baker said he agrees that critical infrastructure would be more secure today if its operators were liable for failing to meet a standard akin to "commercially unreasonable."
"But I expect the Chamber of Commerce would be horrified at such a proposal," he said.
Joel Harding, a retired military intelligence officer and an information operations expert, said the threat of litigation could push critical infrastructure operators to take more steps to protect data.
But he said: "[It will not provide a] system of understanding and predicting a threat before it irrevocably damages one company, two companies or even many more" he said. "There is no way to prevent the loss of a corporation's reputation, income and other resources, despite their doing their best efforts to protect that data, from a threat that has never been seen before."
"That is only possible through legislation that mandates information sharing with the government," he said. "Both approaches are necessary. One provides incentive to protect the data. The second is necessary to protect the data and predict developing threats."
The matter may be somewhat moot if President Obama issues an executive order, implementing many of the provisions of the 2012 Cyber Security Act (CSA), which failed twice to come to a vote in the Senate -- first in August and again last month, shortly after the presidential election.
Leaked drafts of the executive order suggest that the president will call for "voluntary" security standards for cirtical infrastructure operators.
Most experts agree they will be "voluntary" only in name. "I call them 'Don Corleone' standards," Rosenzweig said. "They're an offer you can't refuse."