February 22, 2010
In a BankInfoSecurity article titled “Customer Vs. Bank: Who is Liable for Fraud Losses?” associate Alysa Z. Hutnik was quoted. The article discusses the lawsuit, Experi-Metal Inc. (EMI) vs. Comerica Bank. EMI alleges that Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank's security software. The article highlights several questions regarding bank trust, responsibility and security.A customer’s trust in their bank proved to be an important factor within this case. Anytime a company incurs a data breach that compromises personal information, the organization risks having its customers walk away for good. Ms. Hutnik stated that it is “important that, before an incident occurs, a company take proactive steps to implement a reasonable security program." She noted that “Even after a breach, if a company handles the issue responsibly, those efforts can earn back trust bit by bit. But here, where a customer is out of pocket hundreds of thousands of dollars as a result of a breach and was compelled to file a lawsuit to redress the issue, yes, the trust is likely lost."
With regards to phishing, the employee’s vulnerability to the phishing attack raises the core question of ‘What is sufficient training?’ Ms. Hutnik said, “if a company is going to be responsible under the law for employees' vulnerability to phishing attempts, that's a pretty good incentive to increase training.”
Ms. Hutnik recognizes a third key issue, which is often a gap in many companies: What measures were in place to detect unauthorized, unusual activity involving this customer account, and did the bank act quickly enough in response to such detection? "All companies could benefit from evaluating and assessing how they compare the issues raised in this case against their own information security programs," she said.
