Alert August 09, 2011

Court Recognizes “Commercial Reasonableness” in Finding for Bank in Data Security Breach Case

People’s United Bank, the nation’s largest regional bank headquartered in New England, won a key victory in a data security breach case that had been followed for two years by the national banking associations, as well as by American Banker and other industry publications.

Patco Construction Company Inc., a commercial customer of the bank, brought suit alleging that the bank was responsible when third-party cybercriminals allegedly breached Patco’s computer system, stealing passwords and challenge question answers allegedly through the use of keylogging malware, and executed a series of fraudulent withdrawals from Patco’s checking account. Patco filed suit against People’s United in 2009, alleging negligence, breach of contract, breach of fiduciary duty, unjust enrichment and conversion.

In May 2011, Magistrate Judge John Rich recommended that the court grant People’s United’s motion for summary judgment on all six counts and deny Patco’s cross-motion for summary judgment. In a detailed, 70-page opinion, Rich found that People’s United had “demonstrated that the security procedures that it had in place as of May 2009 were commercially reasonable” under Article 4A of the UCC and that the rest of Patco's claims were preempted. On August 3, 2011, Judge Brock Hornby upheld the Magistrate’s recommendation.

“This was one of the first cases of its kind in the United States to deal with online hacking of bank accounts,” said Goodwin partner Brenda Sharton, who led the litigation team representing People's United “People's United Bank’s online banking security system is state of the art and among the best in use. Through this decision, the court recognized the commercial reasonableness of that system under the law.” You can contact Brenda at 617.570.1214 to discuss this case.

Click here for the Magistrate's opinion.