Do Banks Have a Legal Duty to Notify Customers About Specific Computer Viruses?
A Miami Suit Raises the Question

By ANITA RAMASASTRY

Thursday, Feb. 10, 2005

In early February, Miami businessman Joe Lopez sued Bank of America to recover $90,000 that vanished from his online bank account. Lopez says the money was stolen after someone hacked into his personal computer and accessed his account information. And he says that Bank of America was negligent in failing to notify him of the computer virus that allowed the hacker easy access to his confidential banking information.

This lawsuit appears to be the first suit by a customer against a U.S. bank to recover money apparently stolen by cyber criminals. It highlights an interesting question: Are personal computer users solely responsible for the security of their own PCs? Or might others - such as companies of which they are customers - be responsible too?

The Facts of the Lopez Case

In April 2004, Lopez logged on to check on a wire transfer he was expecting. (As head of Ahlo Inc., a five-person business that buys and sells printer ink and toner, Lopez often wires money to, and receives wire transfers from, U.S. and Latin America)

But when he checked his account, Lopez found that over $90,000 had been wired to Parex Bank in Riga, Latvia -- without his approval. He alleges that about $20,000 had already been withdrawn, while the remaining $70,000 was subsequently frozen by Parex Bank, where the money remains.

The U.S. Secret Service, which investigates computer-based attacks on banks, looked into the situation. In November, it sent Lopez a letter saying its "initial examination" had determined that a variant of a virus called "coreflood" had existed on his computer systems - but did not opine as to whether the virus had caused Lopez's money loss.

Still, it may be likely that coreflood did cause the loss: It is malicious software code that can give an attacker remote access to the infected system. As of now, it is unclear whether Bank of America was aware of the risks the virus posed.

According to news reports, Bank of America's assistant general counsel wrote to Mr. Lopez and his counsel, taking the position that the bank was not responsible for the loss because no one had hacked into the bank's own system to initiate the funds transfer.

Reportedly, the bank advised Mr. Lopez to contact Parex Bank and the Latvia Prosecutor's office himself, to try and recover the money.

Lopez decided to sue. He brought a variety of claims against the bank based on the theory that the bank was responsible for his loss because it failed to warn him about the coreflood virus.

(Lopez also separately claimed that a large wire transfer to Latvia, which is known in financial and law enforcement circles for its problems with cyber criminals, should have raised a red flag - an issue that is beyond this column's scope. A very specific body of law governs wires transfers. Banks, in many cases, are justified in accepting a wire transfer as valid as long as certain security procedures are followed.)

Banks Should Be - and Are - Responsible for Their Own Computer Systems

Should Bank of America be responsible for Lopez's loss?

Of course, banks should be legally responsible for maintaining appropriate security measures for their own networks. If a customer entrusts a bank with his money and his personal data, the bank should take reasonable precautions to keep the data safe. And if the bank provides a customer with software - something which did not happen in the Lopez case - that software should include proper security measures, too.

And obviously, banks should have to notify customers of breaches to the banks' own systems - especially when customer information may have been stolen. For instance, a 2003 California law requires businesses to promptly notify customers residing in California if a computer security breach may have resulted in the theft of their personal information.

Moreover, warning customers of known risks to their PCs will always be a smart business practice on the bank's part - regardless of whether it is legally mandated.

But should banks have what, in effect, would be a legal duty to protect customers' PCs?

Banks Should Not Also Be Responsible for Protecting Customers' Personal Computers

In my view, the answer is no: The responsibility should remain solely with the PC user. Lopez, as well as other computer users, need to install anti-virus software, and keep this software current.

To hold banks legally responsible, I believe, is an unworkable solution. Analogously, while banks provide us with checkbooks, they are not - and should not be -- responsible for monitoring our mailboxes to guard against the checkbooks' theft.

If banks were legally required to notify customers about any possible virus or threat, it's likely a flood of notifications would follow. Would the notifications have to tell customers how to fix the problem or remove the virus? If not, they would be of little use. If so, they would be unduly burdensome for the bank.

Different viruses impact different computers and operating systems in different ways. Would a given bank have to identify solutions for each of its customers? It seems much more efficient for each customer to have a relationship with a computer manufacturer or software company, which ought to be keeping track of the vulnerabilities of its product anyway.

If banks have a duty to notify us of viruses, will they also have a duty to notify us of any possible financial scam? Many consumers, for example, are currently receiving phony emails that appear to come from their banks, asking them to update their account information online. This technique is known as "phishing"; I discussed it in an earlier column.

These emails are hoaxes - they look real - but are generated by fraudsters who trick customers into providing confidential information online - leading to loss of money and identify theft. Yet, we cannot expect banks to notify their customers of every situation where someone sends out a fake email.

In the end, the notion that banks and companies should have a legal duty to ensure that their customers take adequate precautions when it comes to their own PCs is not a practical approach. Tort law imposes a reasonable duty of care; asking banks to become experts in security issues for every computer on the market is unreasonable. The legal duty of banks to protect against hacking should be limited to their own networks - about which they are knowledgeable, and over which they have control.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology.

FindLaw Career Center

    Select a Job Title


      Post a Job  |  Careers Home

    View More