Over the years, many have doubted whether we will see substantial, real-dollar information security lawsuits. Some said that companies don't want to be embarrassed by filing suit and having to admit in their complaints that they've been hacked. Others said there's no money in it for potential plaintiffs (and plaintiffs' attorneys). In my opinion, I always thought we'd see plaintiffs filing cases when large losses occurred, and therefore the dollars to be recovered are large as well. In addition, the bad economy makes companies much more interested in recovering money these days. Avoiding embarrassment by foregoing the possibility of recovering a lot of money is a luxury companies can't afford in a horrible economy.
So it is no surprise to see a new information security lawsuit in Michigan entitled Experi-Metal Inc. v. Comerica Bank, No. 09-cv-14890 (E.D. Mich. Notice of Removal filed Dec. 17, 2009). The case is pending in the federal district court in Detroit, Michigan. You can download a copy of the Complaint by clicking here.
Experi-Metal was a Comerica customer whose employee was fooled by a phishing attack, and clicked on a link in a phishing email. Significantly, Comerica had switched from using SSL and digital certificates, apparently for client as well as server authentication, to a one-time password token. The Plaintiff alleged that the phishing site obtained the employee's user credentials, which the fooled employee inputted. The phishers then used the credentials to obtain access to the account and initiate dozens of wire transfers out -- to the tune of $560,000. And there you have the big loss. Evidently, also, the bank was unwilling to make Experi-Metal whole for the loss.
Experi-Metal then sued the bank, contending that it should not have authorized the transfer requests. The company claimed that the bank continued to transfer money out of the account, even after it had been put on notice of the breach. Experi-Metal said that the two-factor authentication token provided inadequate security. Experi-Metal also claimed that the bank failed to prevent multiple fraudulent transfers after having authenticated using the stolen credentials only once.
Comerica's answer points the finger at Experi-Metal, saying that the it properly authenticated a user that made a wire transfer request in accordance with its user agreement. To the extent the fraud occurred, according to Comerica, it was the fault of the Experi-Metal employee. Moreover, Comerica contended that its security was adequate. For a copy of Comerica's answer, clickhere.
I believe that this case foreshadows case filings in years to come. Companies are depending more on information technology to conduct their businesses. Service providers are not completely locking down their systems (whether because of costs or perceived lack of user acceptance). People are beginning to lose substantial amounts of money. The economy is bad enough so that the service providers don't want to make their users whole after a breach, and allegedly damaged users feel they need to try to recover the money, and not simply walk away out of embarrassment.
All of these factors produce the ingredients for real-dollar litigation. With all of these factors, we're going to see more lawsuits. It's just a matter of time.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP
650-917-8045