Data Privacy and Security Client Alert - October 2015

Your Business May be Liable for Cyberfraud

Most individuals know that if they are the subject of theft or fraud relating to their personal bank accounts or credit cards the bank or card issuer will reimburse them for fraudulent transactions. Most businesses think they are entitled to the same reimbursement; however, this is not necessarily the case. Why? Consumer accounts are subject to Federal Reserve Regulation E of the Electronic Fund Transfer Act, which requires banks to reimburse the individual in most circumstances. Business bank accounts, however, fall under the Uniform Commercial Code, which essentially allows each bank to determine the conditions under which its business clients will, or will not, be reimbursed.

The number of businesses who are victims of cyber criminals is growing and most of them are unaware that their bank will not accept responsibility or offer any reimbursement for cyber fraud. In one case, the cyber thieves accessed the email of the executive who was authorized to direct transfers. They also had access to his Outlook calendar. While he was in meetings, the cyber thieves, using his email, directed his bookkeeper to transfer money (to the tune of $1 million) to accounts outside of the United States. The thieves had been watching his email for some time, so they knew exactly how to respond when his bookkeeper asked questions about the transfers. The thieves would then delete all of the emails before the executive returned from his meetings, so he had no knowledge of the impersonation or fraudulent transfers. Once discovered, the transfers were promptly reported to the company's bank. The bank said they were sorry for the loss, but not responsible they had followed the procedures that business agreed to for transferring funds.

Many business owners believe that their bank is in the best position to be able to provide protection from fraudulent transactions, but the banks don't see it this way. Through their banking terms and conditions, the banks are putting on the burden on its business clients to be vigilant and requiring the business clients to comply with security precautions suggested by the bank. The banks only need "reasonable security measures" and they are advocating that the security breach is occurring on the customer's computer system, not the bank's system.

Businesses can take steps and introduce some best practices to help protect themselves:

1. Talk to your bank. Ask what security measures they are taking to protect your business. How do they protect wire transfers? Do they use encryption and multifactor authentication tools? Do they have anti-fraud software that detect suspicious activity and notify customers immediately?
2. Talk to a security expert. Ask what products or services they offer to help protect against hacking and fraud. Look for vendors with credible security certifications. Invest in products and services that are suitable for your business.
3. Use a dedicated computer or dedicated resources for banking. Designate one computer that is used only for banking transactions. If you cannot designate one computer, certain technology will run a dedicated browser with a secure layer that will keep it separate from the rest of the computer.
4. Limit access to sensitive data. Only a few people need access to the company's online financial accounts. Credentials for the account should not be shared between authorized users. You may want to consider multi-person approval for transfers.
5. Educate your employees. Your employees may be the primary point of vulnerability, but they are also your first line of defense. They need to understand the importance of security. Trainings should be held regularly for new hires and existing staff.
6. Have a password policy. Implement a policy that covers the frequency in which passwords must be changed (every 60 to 90 days), the composition and complexity of the password (i.e., one upper case letter, one number, one special character, and a minimum number of characters), and the use of different passwords for different accounts and systems.
7. Explore insurance options. Some insurance carriers offer network cyber liability, security or privacy loss policies. An insurance company is likely going to require that a business deploy certain technologies and put certain policies and procedures into place before issuing the policy and that the business maintain such technologies, policies and procedures. Cyber insurance is evolving in an area with risks that are continuously changing so you should carefully consider and negotiate the exceptions in the policy, or you could end up with a policy that is useless.
8. Develop a response plan. A cybercrime is virtually a given, so businesses should be prepared. Your outside attorneys, security vendor, accountants and insurance carrier can help develop a plan. But, it does not stop at development. You should test the plan to make sure it works for your business. You should regularly revisit and revise the plan as necessary to keep it current and suitable for your business.

Banks have shifted the burden to their business clients to protect against cybercrimes. Unless the law changes, banks will continue to skirt liability for fraudulent transactions conducted through business bank accounts, and businesses should take proactive steps to mitigate their liability.

The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2026.