There are battles worth fighting and then there are wars worth winning. Bank of America-faced with a lawsuit from a Miami businessman alleging the bank failed to protect him from on-line banking risks-must decide that the latter is far more important than the former if the bank wants to protect its reputation.
The case will be difficult to sort out. In the mind of Joe López, operations manager of Ahlo Inc., the more than $90,000 wired to Parex Bank in Riga, Latvia, is unauthorized. Bank of America contends otherwise, saying it is not liable for the electronic-funds transfer since its system wasn't compromised. The Secret Service, which is investigating the case, confirmed that it did find Coreflood-a keystroke-logging malware-on López's computer.
While López may not have initiated the transaction, the malware enabled the cybercrooks to gain access to his account number and password to complete the funds transfer. Hence, BofA's claim that it is not responsible. Technically, the bank is correct, but why stand on principle with something so damning in the court of public opinion? BofA could very well win this battle, but the fallout-namely, customer confidence-makes one question the bank's legal strategy.
Remember that small business owners and consumers do not have in-house technology experts at their disposal to safeguard against trojan horses, spyware and viruses employed by the cyber criminals. Did López go to great lengths to safeguard his computer system against such criminal attacks? Maybe not, but that hardly seems the point. By most customers' reasoning-correct or not-banks are responsible for fraudulent activity.
In private conversations, many industry players maintain that giving López his money back is akin to opening Pandora's box. At the same time, they concede letting this small business owner drown in technicalities is a public-relations disaster. So what should BofA do? Resolve López's matter privately if he is innocent of any wrongdoing (battle). Then, revisit the bank's security measures and whether they are adequate-and what, if anything, should be required of customers. Finally, develop a way of educating customers about threats that could compromise their computers-and the financial consequences of ignoring such warnings. If BofA does both-require security and educate customers about the consequences of failing to act-customers can protect themselves while enjoying the conveniences of on-line banking (war).
And what of Parex Bank? It has frozen $70,000 of the remaining funds in question-the cybercrooks withdrew $20,000-until BofA requests a criminal investigation of Latvian authorities. BofA's general counsel has said the bank is not in a position to make such a request since it incurred no loss.
Until its resolution, all eyes are on the case.
