[hluska]

From reading over the court filings, it looks like Ocean Bank's defense was built around the ACH/eBanking agreements that Patco signed before they commenced the service.

In these agreements, Patco "agreed to, among other things, assume all liability and responsibility to monitor its commercial checking account (“Account”) on a daily basis. See Modified eBanking Agreement § XIII.B; ACH Agreement §§ 11 and 12(a). Patco further agreed that it would indemnify Ocean Bank from any suits arising from its failure to abide by the terms of the Modified eBanking Agreement and the ACH Agreement"

(Source - Defendant's Answer to Plaintiff's First Amended Complaint and Counterclaims - pg 10 - retrieved from http://www.buckleysandler.com/Patco_v_Peoples(1).pdf)

This is one of those situations where the many pages of fine print came back to bite an innocent victim. The bank did not have adequate security, but they came armed with abundant proof that Patco violated its terms of service. I am Canadian, so I don't know a huge amount about US civil law, but I'm pretty sure that the US has a mitigation requirement on any torts. Patco would have violated this.

I've got to tell you, reading that .pdf makes me want to keep my money under my mattress.

[tptacek]

Contract clauses that waive a bank's standard of due care for online security should not be enforceable. All sorts of other clauses are declared unenforceable all the time. This clearly should be one of them. It is practically the whole charter of a bank to protect funds from unauthorized access. If your contract waives that responsibility, you shouldn't be allowed to have the word "Bank" in your name.

[hluska]

I agree with you completely - I would give you +1000 if I could.

The part I find the funniest is that the judge actually agreed that the bank's security was lax, yet still dismissed because Patco was in violation of the agreements.

I wonder how many new business customers Ocean Bank has signed up since this suit went public? The good old free market is (hopefully) doing its thing.

[wglb]

But is there anything to suggest that other banks in similar business space are any different?

[srean]

After having gone through the entire thread I wish I have your patience.

[run4yourlives]

Let's assume for a second that this wasn't a hacker, but a malicious employee. In your world is the bank still liable for this?

[tptacek]

No, because even using countermeasures that meet or exceed industry best practices, a malicious employee could be expected to gain access to the account. Unlike this case, the internal fraud would be entirely outside the bank's control.

[chriserin]

Yeah, I guess if its in the fine print then what is the judge supposed to do? I agree, I need to find a more secure mattress.

[tptacek]

Not allow an unconscionable clause to be enforced in court. Happens all the time.