NORMAN — Have you ever actually read the agreement you have with your bank, or did you simply “sign on the line,” ignoring the pesky details about who’s required to do what?
After all, who can understand all that ridiculous legalese, anyway? Who’s got time for such hassles?
Some local businesses are discovering the hard way they need to make time for such hassles after having their online bank accounts drained by Internet crooks. After losing many thousands of dollars, they are learning the agreements they signed do not obligate their banks to cover their losses. These victims may just have to kiss that stolen money goodbye forever.
A little-known fact about Internet banking is that different rules apply individual, personal accounts as opposed to business accounts. Banks are required to make good some types of losses from personal accounts. While banks are required to provide “commercially reasonable” online security measures, federal regulations regarding reimbursement to personal accounts do not apply to business accounts.
Most online banking agreements for personal accounts encourage individuals to practice good computer security, such as the following:
“You are responsible for keeping your password, account numbers, personal identification information and other account information confidential. You are also responsible for using a compatible web browser that has a high security standard. The Bank is not responsible for customer errors or negligent use of Online Banking and will not be liable for losses due to negligent handling or sharing of passwords or leaving your computer unattended during access. The Bank will not be liable if you, or anyone you allow, commits any fraud or violates any law or regulation, or if you have not properly followed the instructions using Online Banking.”
Even with that stern language, losses from personal accounts are limited, and most agreements continue with the following:
“If your account has been compromised and you tell The Bank within two days after you learn of a loss or theft, you can lose no more than $50 if someone used your online password to access your account. If you do not tell us within two business days, and we could have stopped someone from taking money without your permission, you could lose as much as $500.”
In other words, if you find out your personal, individual online bank account has been hacked and you have lost money, and you report the loss in time, your losses are limited. Contrast that with the following, which is representative of most online banking agreements for business accounts:
“You agree to be bound by any transfer, instruction or payment order we receive through the Services, even if it is not authorized by you, if it includes your password or is otherwise processed by us in accordance with our security procedures. You agree to establish, maintain and update commercially reasonable policies, procedures, equipment and software that will safeguard the security and integrity of your computer system and information from unauthorized use, intrusion, takeover or theft, and prevent your password from unauthorized discovery or use.”
“You bear all risk of fraudulent transfers and other losses arising from your failure to follow this agreement or from the interception of your communications prior to their receipt by us. The Bank will not reimburse you if you fail to follow the procedures outlined in this agreement. You agree that The Bank is authorized to execute, and it is commercially reasonable for us to execute, any instruction received by us with your password.”
Put plainly, if you, as a business owner, do a crummy job of protecting your online banking passwords, and your business gets ripped off, too bad for you. Under the terms of the agreement you signed, the bank is not obligated to cover your losses.
Banks are required to provide “commercially reasonable” online security measures to protect their customer’s accounts, both personal and business. Recent court decisions are beginning to clarify what that means, and some banks with shoddy security protections have been held liable for business account losses in spite of the disclaimers contained in their online banking agreements.
Patco vs. People’s United (Ocean) Bank is one case where the court found the bank liable for losses, even though Patco had lousy computer security; the court said the bank’s security was lousy, too. Another case, Experi-metal vs. Comerica Bank had a similar end.
Keep in mind, though, that, even with courts requiring banks to provide stronger, “commercially reasonable” security for online banking, business customers cannot expect the same loss coverage as individual customers. Read the agreement you signed. If your bank is doing a good job security-wise, and your business gets ripped off because your security stinks, you may be up the proverbial creek without a paddle.
Dave Moore of Norman has been an independent computer service technician since 1984. He also teaches computer security workshops to public and private organizations. He can be reached at 405-919-9901 or www.davemoorecomputers.com.