Court Finds Bank Security Was Reasonable

Tuesday, August 31, 2010

David Navetta


We previously reported on the lawsuit filed by Experi-Metal, Inc. (“EMI”) and the subsequent motion for summary judgment (and briefs) filed by Comerica Bank to have the case dismissed.

As reported in July, the U.S. District Court for the Eastern District of Michigan has issued a ruling  on Comerica’s motion for summary judgment. To make a long story short, the Court denied Comerica’s motion and this case appears headed toward trial (or potentially appeal or settlement).

Ironically, in the course of its ruling, the Court found that Comerica had utilized commercially reasonable security procedures. However, that ruling had more to do with the language in Comerica’s contracts than an actual substantive analysis of Comerica’s security procedures. In this blogpost, we take a closer look at the Court’s ruling.

The Standard for a Motion for Summary Judgment

To prevail in a motion for summary judgment (“MSJ”), the movant (Comerica) has the burden of establishing “the absence of a genuine issue of material fact.” If Comerica can meet this burden, the non-movant (EMI) can still defeat the MSJ if it is able to come forward with facts showing that a genuine issue of fact exists for trial.

Overall, the court must accept EMI’s evidence as true and draw all justifiable inferences in EMI’s favor. It is under this standard that the court reviewed the available evidence and relevant law, and ultimately denied the MSJ.

Relevant Facts

As set forth in the various briefs filed by the parties, the factual scenario around the online banking breach was quite complex. The Court’s opinion actually cuts through (some might say ignores) this complexity.

Significantly, EMI had argued that Comerica actually provided EMI with two different services, but failed to implement a contract for the second “service.” The court did not buy this argument. While Comerica had changed the name of its online banking service, the Court found that it was still providing the same service to EMI.

This finding is meaningful because if the name change had actually been a new service, EMI could have maintained that Comerica failed to comply with the contract requirements of Michigan’s version of UCC 4A-202 (sections MCLA 440.4702 and 440.4703 of Michigan’s Uniform Commercial Code). The end result of this finding was that EMI’s online banking and wire transfers in this case were governed by two agreements that Comerica entered into with EMI: the Treasury Management Services Agreement (for Comerica  NetVision Wire Transfer -- the "Services Agreement") and Comerica’s Treasury Management Services Master Agreement ("Master Agreement").

Another important fact in the Court’s view was the authority provided to EMI’s Controller (Keith Maslowski) for purposes of effectuating wire transfers. Maslowski was the person that actually provided the criminals with EMI’s online banking login credentials during a “phishing attack.”

The Court held that contradictory evidence existed as to whether Maslowski was authorized to execute transfers through Comerica’s online banking service, and therefore a genuine issue of fact existed as to that authority. This factual discrepancy plays significantly into one of the legal elements Comerica needed to establish on this MSJ: whether Comerica followed agreed-upon security procedures (discussed further below).

The timing of the fraudulent wire transfers and communications between EMI was also an important factor in the Court’s ultimate decision. On January 22, 2009 (the day of the breach) 47 wire transfers were initiated using EMI’s account.  After noticing the wire transfer activity, at 12:05 that day, Comerica called EMI to inquire about the wire transfers.

At that time EMI told Comerica that it had not authorized the 47 wire transfers, and informed Comerica that it should not honor the transfers or any other requested transfers (EMI also sent a follow-up email with basically the same instructions shortly after this call). Within 24 minutes of this call, most wire transfer activity had been halted. Nonetheless, between 10:53 a.m. and 2:02 an additional 46 wire transfers were initiated using EMI’s account.

In addition to the facts mentioned above, the Court made its decision based on evidence concerning the following factual assertions:

    * Comerica’s evidence that it provided EMI with the option to require two simultaneous user logins and approvals in order to wire money using online banking

    * Comerica had previously used a digital certificate security procedure to authorize online banking users (before switching to the secure token-based system that is at issue in this case), and as part of that old security procedure, Comerica periodically sent out emails requiring users to enter their login credentials in order to renew those digital certificates.

Now that we have laid out the key facts used by the Court to make its decision, let’s look at the law at issue and how the Court applied it to this fact pattern.

Summary of the Law at Issue

EMI’s complaint alleged that the payment orders initiated from its account were not effective as payment orders of EMI because Comerica failed to comply with sections MCLA 440.4702 and 440.4703 of Michigan’s Uniform Commercial Code. Rather than restate the specific rules, we will look to the Court’s summary of them.

The Court indicated that for a payment order to be an effective order of EMI, even though EMI did not actually initiate the order, the following elements must be established under 440.4702(2):

1.  an agreement between Comerica and EMI that the authenticity of payment orders would be verified pursuant to a security procedure;

2.  the security procedure is commercially reasonable;

3.  the security procedure and any written agreement or instruction by EMI is followed by Comerica; and

4.  Comerica establishes that it acted in good faith in accepting the payment order.

In addition, the Court looked to section 440.4702(3) of Michigan’s Uniform Commercial Code for purposes of analyzing whether Comerica’s security procedures were commercially reasonable. Under that section a security procedure will be deemed reasonable if the following elements are met:

A. the security procedure was chosen by EMI after Comerica offered, and EMI refused, a security procedure that was commercially reasonable for EMI; and

B. EMI expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by Comerica in compliance with the security procedures chosen by EMI.

After reciting how it viewed the law, the Court proceeded to apply the facts at issue. For ease of reference, the next section of this blogpost will refer to the Court’s judgment on each element listed above according to the numbering (or lettering as the case may be) listed above.

The Court’s Application of the Law

As to Element 1., the Court looked to the language of the Services Agreement and Master Agreement that EMI had entered into with Comerica. As an initial matter, the Court rejected EMI’s argument that Comerica had provided two separate services, one governed by the Services Agreement and Master Agreement, and the other governed by no agreement (according to EMI).

The Court held instead that despite the name change Comerica had provided a single online banking program subject to the relevant agreements. If EMI had established this factual argument, it probably would have been very difficult for Comerica to establish compliance with 440.4702(2).

Having done away with EMI’s two service argument, the Court then turned to Element 2., whether the security procedure at issue, use of token-based multifactor authentication, was commercially reasonable. For this the Court analyzed Elements A. and B. above.

Comerica argued that it had offered EMI an initial security procedure, which EMI rejected, and therefore the subsequently implemented token security should be deemed reasonable by the Court under 440.4702(3). In particular, Comerica claimed that it offered EMI the ability to prohibit wire transfers unless two individuals separately approved the transfer, and EMI rejected this security procedure.

The Court, however, rejected this argument. First, the Court reasoned that requiring additional user approvals was not a “security procedure,” but rather was “an option or element within a security procedure”. The security procedure in this case, the Court found was the “secure token technology.”

Moreover, the Court noted that at the time the multiple user option was provided to EMI, Comerica was using the digital certificate technology, not the secure token technology.

Nonetheless, the Court eventually did find that Comerica’s security procedure was commercially reasonable as a matter of law. To do so, however, the Court did not engage in a substantive analysis of the commercial reasonableness of Comerica’s secure token technology.

Instead, it relied on the contract language of the Service Agreement and Master Agreement. In both agreements, EMI agreed that the existing (and future) security procedures used by Comerica were commercially reasonable. In particular, in the Service Agreement, EMI agreed to the following:

    “Customer [EMI] agrees that the Security Procedures are commercially reasonable for the type of entries which Customer may transmit to the Bank [Comerica]”

Similarly, in the Master Agreement EMI agreed that by utilizing the online banking service and employing the security procedure at issue, “the Security Procedure is commercially reasonable for the type, size and volume of transactions [EMI] will conduct using the Service.”

Based solely on the contract language in both agreements that EMI agreed to be bound by, the Court held that Comerica’s secure token security procedure was commercially reasonable as a matter of law. In fact, the Court rejected testimony by EMI’s expert witness that contradicted Comerica’s claim that its security procedure was commercially reasonable (the Court described the testimony as ineffective “parol evidence”).

Thus, what we have here is (to this author’s knowledge) the first court in the United States rendering a judgment on the issue of commercially reasonable security as a matter of law.  However, the Court did not actually independently analyze as a substantive matter whether the security was reasonable.

The ruling was based purely on the contract language. One wonders whether the same result would have occurred if Comerica had used a security procedure that was glaringly weak. For example, if Comerica had only required a person to input their first and last name to login into EMI's online banking account, would similar contract language agreeing to reasonableness be effective?

At this point one reading the Court’s decision might be tempted to stop reading – clearly Comerica had established major elements of  the MSJ. However, the Court still required Comerica to jump through some additional hoops, in particular Elements 3 and 4. above.

Element 3 requires Comerica to establish that there was no genuine issue of fact as to whether Comerica followed its commercially reasonable security procedures. On this count the fuzzy scope of Maslowski’s wire transfer authorization did Comerica in. The Court ruled that a question of fact existed as to whether Maslowski was authorized to perform wire transfers using Comerica’s online banking services.

If, as EMI contended, Maslowski was not authorized to make transfers, then it may be possible for a jury to find that Comerica did not follow its commercially reasonable security procedure. Stated differently, in EMI's view allowing an unauthorized person to initiate wire transfers would be a failure to follow the agreed upon security procedures. This failure to satisfy Element 3 was an independent basis to deny Comerica’s motion for summary judgment.

The Court went further, however, and also held that Comerica failed to establish Element 4. On this element, the Court analyzed the “good faith” requirements of 444.4702(3). The Court noted that the concept of good faith used in the UCC context is both subjective (e.g. “honesty in fact”) and objective (e.g. “observance of reasonable standards of fair dealing”).

On this issue, the court analyzed four arguments put forth by EMI maintaining that Comerica did not act in good faith, including an alleged failure to act in good faith because Comerica:

    * failed to institute additional security procedures that would have enabled it to detect the unusual activity with EMI’s account

    * allowed thieves to initiate 47 wire transfers even though EMI had only initiated two wire transfers in the previous two years (and both of those transfers came a full two years before those initiated by the thieves in this case)

    * failed to be alerted to the fraudulent nature of the wire transfers based on the unusual destinations of those transfers (e.g. Moscow, Estonia and China); and

    * allowed the initiation of 46 additional wire transfers after being instructed by EMI that Comerica should not honor any more transfers.

While the Court did not agree with EMI’s first argument concerning additional security concerns (it felt that such security arguments were relevant to the issue of “commercially reasonable security,” not “good faith”) it did agree that EMI’s other positions were valid in the MSJ context.

In particular, with respect to each of EMI’s other contentions, the Court held that Comerica failed to provide evidence to establish that it had acted in good faith in accepting the payment orders at issue.

As such, the Court held that genuine issues of material fact existed as to EMI’s good faith requirements under 440.4702(2). This too is an independent basis for denying Comerica’s motion for summary judgment.

Observations and Conclusion

So there we have it: the first court to make a finding of commercially reasonable security as a matter of law, and it did so without actually analyzing the security in place by Comerica.

It remains to be seen whether this case moves forward, is appealed or is settled at this point.  What is clear, however, if other courts adopt the same analysis as this Court, banks may have some difficultly disposing of these cases early on and before trial. It will be interesting to see what transpires.

On one hand, the case sets forth a contract-based procedure for banks whereby, based on the language of the contract, and the timing of the contract (relative to providing a customer with various security procedure options), a bank can potentially establish that it used “commercially reasonable security procedures” and protect itself before a security breach under UCC 4A-202. On the other hand, the good faith requirements of UCC 4A-202 suggest that both the bank’s fraud detection controls and post incident response will be scrutinized (especially its ability to call back or stop wire transfers that are in process). The issue of good faith, some would argue, is one of those questions of fact that rarely has a clear answer.

Overall, some of the Court’s reasoning could be challenged on an appeal. As noted, the Court failed to substantively scrutinize Comerica’s security procedures, and instead based its commercially reasonable security holding on the language of Comerica's agreement. 

One could argue that the issue of commercially reasonable security under UCC 4A-202 should be independent of the language in a contract. For example, if a bank only required somebody to type their first and last name into a system in order to log in, and that was agreed to be reasonable security by the customer in a written agreement, would it truly be reasonable security from an objective standpoint?

One might argue that the Court failed to take into account the objective standard that may be implied by the use of the word “reasonable” in this section of the UCC. The Court’s reliance on the parole evidence rule might also be scrutinized since EMI's cause of action was statutorily-based (i.e. it was outside of the contract).

In addition, the Court appeared to draw several distinctions as to what procedures and controls constituted a “security procedure” under MCLA 440.4702. Under MCLA 440.4701, “security procedure” is defined to mean:   a procedure established by agreement of a customer and a receiving bank for the purpose of: (i) verifying that a payment order or communication amending or cancelling a payment order is that of the customer, or (ii) detecting error in the transmission of a the content of the payment order or communication.

At one point in its decision the Court rules that the “security procedure” at issue is the “secure token technology.” It rejected Comerica’s contention that a multiple login-in requirement is itself a security procedure, and implied that a multiple login with a secure token technology is not a separate security procedure from one that only utilizes only secure tokens.

The Court also seems to suggest that fraud detection procedures based on wire transfer frequency and location are not “security procedures.” The meaning and scope of security procedure in this case could impact parts of this ruling.

For example, if fraud detection measures based on the frequency and location of wire transfers are security procedures (or part of a security procedure), by the Court’s own reasoning, considering Comerica’s failure to implement such measures would not be appropriate for the “good faith” analysis under 440.4702(2).

Overall, we will continue to monitor where this case is going and will provide updates at the website as the situation develops.

Cross-posted from InfoLawGroup

Possibly Related Articles:
General Legal
Legal Banking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.