Header graphic for print
Steptoe Cyberblog

The First Circuit and Cybersecurity

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Can you hear the legal ground shifting under the feet of the banks?

Many small businesses are now infected by keylogging software. Hackers use it to steal banking credentials and make wire transfers. It is very difficult to keep the hackers out, at least for small businesses. The most promising way to defeat such fraud is for banks to deplay back-end systems that evaluate each transaction to identify unusual transfers.

We’ve all seen that solution. You get the call from your bank whenever your credit card has an usual charge at the prompt of the back-end system. Banks do that because they’re liable for consumer credit card charges. For small businesses, though, the shoe is on the other foot.

Under the UCC, as long as the bank uses a “commercially reasonable” method to authenticate its customers it can impose liability for cybersecurity failures on its commercial customers. So banks have less incentive to monitor small-business transfers aggressively. All they need to do is follow a standard contractual security protocol — unless the courts decide that the protocol is no longer commercially reasonable.

This is precisely what is starting to happen, as the trickle of keylogger fraud turns into a flood. The most recent decision, the Patco case from the First Circuit, overturns a recent lower court ruling against bank liability. With this decision banks cannot feel comfortable relying on their contracts to protect them. Instead, facing a newly fluid and unpredictable liability environment, banks (and courts) will be struggling to find a reasonable way to use back-end systems to monitor wire-transfer hacking fraud.

On the whole, that’s a good thing. Small businesses need help from the banks, which have greater visibility into fraud patterns, to keep hackers out more reliably.

But I can’t help pointing out that the decision, which at first glance seems to be Sticking it to the Man, is in fact going to result in much more intrusive monitoring of money transfers by banks. In short, it means less privacy.

Perhaps you believe that banking privacy has been dead for years, so this is no big deal. But the lesson can be generalized. Security requiring centralized authorities to engage in more aggressive and detailed behavioral monitoring of network transactions is not only necessary in the banking industry. Corporate security has also shifted to internal monitoring in the hope that spotting anomalous behavior will identify compromised machines. It’s the only technique that seems to offer much hope.

But what happens when those compromised computers go out on the Internet? Who’s watching for signs of compromise there? Right now, nobody. That makes privacy advocates very happy. But it seems to me that there’s a growing gulf between what makes the privacy advocates happy and what makes users of the net safe.