Goodwin Procter achieved an important victory for People’s United Bank, the nation’s largest regional bank headquartered in New England, in a case of first impression concerning a data security breach. Patco Construction Company Inc., a commercial customer of the bank, brought suit alleging that the bank was responsible when third-party cybercriminals breached Patco’s computer system, stealing passwords and challenge question answers allegedly through the use of keylogging malware, and executed a series of fraudulent withdrawals from Patco’s checking account.
Patco filed suit against People’s United in 2009, alleging negligence, breach of contract, breach of fiduciary duty, unjust enrichment and conversion. After extensive discovery, including the depositions of multiple experts regarding the commercial reasonableness of the security procedures used by People’s United, both Patco and People’s United filed cross-motions for summary judgment.
On May 27, 2011, Magistrate Judge John Rich recommended that the court grant People’s United’s motion for summary judgment on all six counts and deny Patco’s cross-motion for summary judgment. In a detailed, 70-page opinion, Rich found that People’s United had “demonstrated that the security procedures that it had in place as of May 2009 were commercially reasonable” under Article 4A of the UCC and that the rest of Patco's claims were preempted.
On August 3, 2011, Judge Brock Hornby held an oral argument on the summary judgment motions and Patco’s objections to the Magistrate’s recommendations. Goodwin argued the motions on behalf of People’s United Bank. In a decision issued on August 4, 2011, Judge Hornby upheld the Magistrate’s recommendation, granting the bank’s motion for summary judgment and denying Patco’s motion.
The case had been followed for two years by the national banking associations, as well as by American Banker and other industry publications.
“This was one of the first cases of its kind in the United States to deal with online hacking of bank accounts,” said Goodwin. “People's United Bank’s online banking security system is state of the art and among the best in use. Through this decision, the court recognized the commercial reasonableness of that system under the law."