The unfortunately reality of cyber theft is that it’s much like any other type of theft – even if the criminal is caught, it’s unlikely that the ill-gotten gains will ever be fully recovered. There are simply too many ways to hide their destination or make them disappear. This often means the victim will seek other avenues for recouping losses, including filing a civil action against entities or individuals who allegedly could have helped prevent the theft. In the case of O’Neill, Bragg & Staffin, P.C. v. Bank of America, a law firm’s attempt to do so failed to make it past the pleading stage in Pennsylvania federal court, indicating the court’s sympathy for victims will not translate into a legal claim against banks caught in the middle of cybercrime.
In O’Neill, a law firm fell victim to a classic form of social engineering that resulted in one of its partners transferring over $580,000 to a hacker in China. The attack began when the intruder gained access to a partner’s email account who was handling loan transactions for a client. Through this access, the attacker gained familiarity with the client, attorneys on the case, and different matters being handled. He then set the final execution into motion by sending an email that appeared to be from one partner to another, requesting that funds be transferred to a Hong Kong account as soon as possible. In the email, the hacker used attorney nicknames, referred to the client by name, and gave the accurate sub account number from where the funds would be transferred. Believing the request to be legitimate, the partner initiated the wire transfer through Bank of America. Approximately one hour later, the transferring partner reached out to attorney he thought had made the request, only to find out it was all a farce.
The O’Neill firm immediately reached out to Bank of America, who said an attempt to stop payment would be made but could not be guaranteed. The firm also contacted the Hong Kong police and a local law firm. After all was said and done, however, O’Neill recovered just $88,000 of the $580,000 it had sent to the hacker. Understandably dissatisfied, it turned its attention to Bank of America in a lawsuit alleging a variety of breach of contract claims, violations of the Pennsylvania Commercial Code (“PCC”) and Federal Electronic Fund Transfer Act, and standard negligence. The Eastern District of Pennsylvania dismissed each of the firm’s claims, finding the contract with Bank of America afforded O’Neill no right to recovery. Further, the court ruled that the state and federal statutes were largely inapplicable to the case, and that any negligence claim was precluded by the terms of the contract. Most tellingly, the court noted that this harsh result is in line with the goal of the PCC, which creates a bright line rule because, “parties to funds transfers need to be able to predict risk with certainty, to insure against risk, to adjust operational and security procedures, and to price funds transfer services appropriately.”
This comment taken from the PCC – along with the total dismissal of the O’Neill firm’s action at the pleading stage – should be taken as a stark reminder of the need for companies and firms of all sizes to properly insure themselves against cybersecurity breaches. The method, used by the hacker in this case was not unique, nor was the chosen victim. As more hackers become adept at cybercrime, smaller entities will find themselves increasingly targeted. This case sets a significant precedent in Pennsylvania that no matter how you cast your claim, the only entity who will bear the loss of such an attack is the victim. By obtaining the proper cybersecurity coverage, you can minimize the damage by receiving significant assistance in the event of an attack, as well as a source of recovery if the funds cannot be recovered. Absent such coverage, you could find yourself in the same position as the O’Neill firm – chasing cyber ghosts with no realistic chance of ever getting your losses back.