EMI v. Comerica: Court Finds Bank's Security is Commercially Reasonable -- Bank Loses Motion for Summary Judgment
An odd result -- we know.
We previously reported on the lawsuit filed by Experi-Metal, Inc. (“EMI”) and the subsequent motion for summary judgment (and briefs) filed by Comerica Bank to have the case dismissed. As reported in July, the U.S. District Court for the Eastern District of Michigan has issued a ruling on Comerica’s motion for summary judgment. To make a long story short, the Court denied Comerica’s motion and this case appears headed toward trial (or potentially appeal or settlement). Ironically, in the course of its ruling the Court found that Comerica had utilized commercially reasonable security procedures. However, that ruling had more to do with the language in Comerica’s contracts than an actual substantive analysis of Comerica’s security procedures. In this blogpost, we take a closer look at the Court’s ruling.
The Standard for a Motion for Summary Judgment
To prevail in a motion for summary judgment (“MSJ”), the movant (Comerica) has the burden of establishing “the absence of a genuine issue of material fact.” If Comerica can meet this burden, the non-movant (EMI) can still defeat the MSJ if it is able to come forward with facts showing that a genuine issue of fact exists for trial. Overall, the court must accept EMI’s evidence as true and draw all justifiable inferences in EMI’s favor. It is under this standard that the court reviewed the available evidence and relevant law, and ultimately denied the MSJ.
Relevant Facts
As set forth in the various briefs filed by the parties, the factual scenario around the online banking breach was quite complex. The Court’s opinion actually cuts through (some might say ignores) this complexity.
Significantly, EMI had argued that Comerica actually provided EMI with two different services, but failed to implement a contract for the second “service.” The court did not buy this argument. While Comerica had changed the name of its online banking service, the Court found that it was still providing the same service to EMI. This finding is meaningful because if the name change had actually been a new service, EMI could have maintained that Comerica failed to comply with the contract requirements of Michigan’s version of UCC 4A-202 (sections MCLA 440.4702 and 440.4703 of Michigan’s Uniform Commercial Code). The end result of this finding was that EMI’s online banking and wire transfers in this case were governed by two agreements that Comerica entered into with EMI: the Treasury Management Services Agreement (for Comerica NetVision Wire Transfer -- the "Services Agreement") and Comerica’s Treasury Management Services Master Agreement ("Master Agreement").
Another important fact in the Court’s view was the authority provided to EMI’s Controller (Keith Maslowski) for purposes of effectuating wire transfers. Maslowski was the person that actually provided the criminals with EMI’s online banking login credentials during a “phishing attack.” The Court held that contradictory evidence existed as to whether Maslowski was authorized to execute transfers through Comerica’s online banking service, and therefore a genuine issue of fact existed as to that authority. This factual discrepancy plays significantly into one of the legal elements Comerica needed to establish on this MSJ: whether Comerica followed agreed-upon security procedures (discussed further below).
The timing of the fraudulent wire transfers and communications between EMI was also an important factor in the Court’s ultimate decision. On January 22, 2009 (the day of the breach) 47 wire transfers were initiated using EMI’s account. After noticing the wire transfer activity, at 12:05 that day, Comerica called EMI to inquire about the wire transfers. At that time EMI told Comerica that it had not authorized the 47 wire transfers, and informed Comerica that it should not honor the transfers or any other requested transfers (EMI also sent a follow-up email with basically the same instructions shortly after this call). Within 24 minutes of this call, most wire transfer activity had been halted. Nonetheless, between 10:53 a.m. and 2:02 an additional 46 wire transfers were initiated using EMI’s account.
In addition to the facts mentioned above, the Court made its decision based on evidence concerning the following factual assertions:
- Comerica’s evidence that it provided EMI with the option to require two simultaneous user logins and approvals in order to wire money using online banking
- Comerica had previously used a digital certificate security procedure to authorize online banking users (before switching to the secure token-based system that is at issue in this case), and as part of that old security procedure, Comerica periodically sent out emails requiring users to enter their login credentials in order to renew those digital certificates.
Now that we have laid out the key facts used by the Court to make its decision, let’s look at the law at issue and how the Court applied it to this fact pattern.
Summary of the Law at Issue
EMI’s complaint alleged that the payment orders initiated from its account were not effective as payment orders of EMI because Comerica failed to comply with sections MCLA 440.4702 and 440.4703 of Michigan’s Uniform Commercial Code. Rather than restate the specific rules, we will look to the Court’s summary of them.
The Court indicated that for a payment order to be an effective order of EMI, even though EMI did not actually initiate the order, the following elements must be established under 440.4702(2):
1. an agreement between Comerica and EMI that the authenticity of payment orders would be verified pursuant to a security procedure;
2. the security procedure is commercially reasonable;
3. the security procedure and any written agreement or instruction by EMI is followed by Comerica; and
4. Comerica establishes that it acted in good faith in accepting the payment order.
In addition, the Court looked to section 440.4702(3) of Michigan’s Uniform Commercial Code for purposes of analyzing whether Comerica’s security procedures were commercially reasonable. Under that section a security procedure will be deemed reasonable if the following elements are met:
A. the security procedure was chosen by EMI after Comerica offered, and EMI refused, a security procedure that was commercially reasonable for EMI; and
B. EMI expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by Comerica in compliance with the security procedures chosen by EMI.
After reciting how it viewed the law, the Court proceeded to apply the facts at issue. For ease of reference, the next section of this blogpost will refer to the Court’s judgment on each element listed above according to the numbering (or lettering as the case may be) listed above.
The Court’s Application of the Law
As to Element 1., the Court looked to the language of the Services Agreement and Master Agreement that EMI had entered into with Comerica. As an initial matter, the Court rejected EMI’s argument that Comerica had provided two separate services, one governed by the Services Agreement and Master Agreement, and the other governed by no agreement (according to EMI). The Court held instead that despite the name change Comerica had provided a single online banking program subject to the relevant agreements. If EMI had established this factual argument, it probably would have been very difficult for Comerica to establish compliance with 440.4702(2).
Having done away with EMI’s two service argument, the Court then turned to Element 2., whether the security procedure at issue, use of token-based multifactor authentication, was commercially reasonable. For this the Court analyzed Elements A. and B. above. Comerica argued that it had offered EMI an initial security procedure, which EMI rejected, and therefore the subsequently implemented token security should be deemed reasonable by the Court under 440.4702(3). In particular, Comerica claimed that it offered EMI the ability to prohibit wire transfers unless two individuals separately approved the transfer, and EMI rejected this security procedure.
The Court, however, rejected this argument. First, the Court reasoned that requiring additional user approvals was not a “security procedure,” but rather was “an option or element within a security procedure”. The security procedure in this case, the Court found was the “secure token technology.” Moreover, the Court noted that at the time the multiple user option was provided to EMI, Comerica was using the digital certificate technology, not the secure token technology.
Nonetheless, the Court eventually did find that Comerica’s security procedure was commercially reasonable as a matter of law. To do so, however, the Court did not engage in a substantive analysis of the commercial reasonableness of Comerica’s secure token technology. Instead, it relied on the contract language of the Service Agreement and Master Agreement. In both agreements, EMI agreed that the existing (and future) security procedures used by Comerica were commercially reasonable. In particular, in the Service Agreement, EMI agreed to the following:
“Customer [EMI] agrees that the Security Procedures are commercially reasonable for the type of entries which Customer may transmit to the Bank [Comerica]”
Similarly, in the Master Agreement EMI agreed that by utilizing the online banking service and employing the security procedure at issue, “the Security Procedure is commercially reasonable for the type, size and volume of transactions [EMI] will conduct using the Service.”
Based solely on the contract language in both agreements that EMI agreed to be bound by, the Court held that Comerica’s secure token security procedure was commercially reasonable as a matter of law. In fact, the Court rejected testimony by EMI’s expert witness that contradicted Comerica’s claim that its security procedure was commercially reasonable (the Court described the testimony as ineffective “parol evidence”).
Thus, what we have here is (to this author’s knowledge) the first court in the United States rendering a judgment on the issue of commercially reasonable security as a matter of law. However, the Court did not actually independently analyze as a substantive matter whether the security was reasonable. The ruling was based purely on the contract language. One wonders whether the same result would have occurred if Comerica had used a security procedure that was glaringly weak. For example, if Comerica had only required a person to input their first and last name to login into EMI's online banking account, would similar contract language agreeing to reasonableness be effective?
At this point one reading the Court’s decision might be tempted to stop reading – clearly Comerica had established major elements of the MSJ. However, the Court still required Comerica to jump through some additional hoops, in particular Elements 3 and 4. above.
Element 3 requires Comerica to establish that there was no genuine issue of fact as to whether Comerica followed its commercially reasonable security procedures. On this count the fuzzy scope of Maslowski’s wire transfer authorization did Comerica in. The Court ruled that a question of fact existed as to whether Maslowski was authorized to perform wire transfers using Comerica’s online banking services. If, as EMI contended, Maslowski was not authorized to make transfers, then it may be possible for a jury to find that Comerica did not follow its commercially reasonable security procedure. Stated differently, in EMI's view allowing an unauthorized person to initiate wire transfers would be a failure to follow the agreed upon security procedures. This failure to satisfy Element 3 was an independent basis to deny Comerica’s motion for summary judgment.
The Court went further, however, and also held that Comerica failed to establish Element 4. On this element, the Court analyzed the “good faith” requirements of 444.4702(3). The Court noted that the concept of good faith used in the UCC context is both subjective (e.g. “honesty in fact”) and objective (e.g. “observance of reasonable standards of fair dealing”). On this issue, the court analyzed four arguments put forth by EMI maintaining that Comerica did not act in good faith, including an alleged failure to act in good faith because Comerica:
- failed to institute additional security procedures that would have enabled it to detect the unusual activity with EMI’s account
- allowed thieves to initiate 47 wire transfers even though EMI had only initiated two wire transfers in the previous two years (and both of those transfers came a full two years before those initiated by the thieves in this case)
- failed to be alerted to the fraudulent nature of the wire transfers based on the unusual destinations of those transfers (e.g. Moscow, Estonia and China); and
- allowed the initiation of 46 additional wire transfers after being instructed by EMI that Comerica should not honor any more transfers.
While the Court did not agree with EMI’s first argument concerning additional security concerns (it felt that such security arguments were relevant to the issue of “commercially reasonable security,” not “good faith”) it did agree that EMI’s other positions were valid in the MSJ context. In particular, with respect to each of EMI’s other contentions, the Court held that Comerica failed to provide evidence to establish that it had acted in good faith in accepting the payment orders at issue. As such, the Court held that genuine issues of material fact existed as to EMI’s good faith requirements under 440.4702(2). This too is an independent basis for denying Comerica’s motion for summary judgment.
Observations and Conclusion
So there we have it: the first court to make a finding of commercially reasonable security as a matter of law, and it did so without actually analyzing the security in place by Comerica.
It remains to be seen whether this case moves forward, is appealed or is settled at this point. What is clear, however, if other courts adopt the same analysis as this Court, banks may have some difficultly disposing of these cases early on and before trial. It will be interesting to see what transpires. On one hand, the case sets forth a contract-based procedure for banks whereby, based on the language of the contract, and the timing of the contract (relative to providing a customer with various security procedure options), a bank can potentially establish that it used “commercially reasonable security procedures” and protect itself before a security breach under UCC 4A-202. On the other hand, the good faith requirements of UCC 4A-202 suggest that both the bank’s fraud detection controls and post incident response will be scrutinized (especially its ability to call back or stop wire transfers that are in process). The issue of good faith, some would argue, is one of those questions of fact that rarely has a clear answer.
Overall, some of the Court’s reasoning could be challenged on an appeal. As noted, the Court failed to substantively scrutinize Comerica’s security procedures, and instead based its commercially reasonable security holding on the language of Comerica's agreement. One could argue that the issue of commercially reasonable security under UCC 4A-202 should be independent of the language in a contract. For example, if a bank only required somebody to type their first and last name into a system in order to log in, and that was agreed to be reasonable security by the customer in a written agreement, would it truly be reasonable security from an objective standpoint? One might argue that the Court failed to take into account the objective standard that may be implied by the use of the word “reasonable” in this section of the UCC. The Court’s reliance on the parole evidence rule might also be scrutinized since EMI's cause of action was statutorily-based (i.e. it was outside of the contract).
In addition, the Court appeared to draw several distinctions as to what procedures and controls constituted a “security procedure” under MCLA 440.4702. Under MCLA 440.4701, “security procedure” is defined to mean:
a procedure established by agreement of a customer and a receiving bank for the purpose of: (i) verifying that a payment order or communication amending or cancelling a payment order is that of the customer, or (ii) detecting error in the transmission of a the content of the payment order or communication. (emphasis supplied)
At one point in its decision the Court rules that the “security procedure” at issue is the “secure token technology.” It rejected Comerica’s contention that a multiple login-in requirement is itself a security procedure, and implied that a multiple login with a secure token technology is not a separate security procedure from one that only utilizes only secure tokens. The Court also seems to suggest that fraud detection procedures based on wire transfer frequency and location are not “security procedures.” The meaning and scope of security procedure in this case could impact parts of this ruling. For example, if fraud detection measures based on the frequency and location of wire transfers are security procedures (or part of a security procedure), by the Court’s own reasoning, considering Comerica’s failure to implement such measures would not be appropriate for the “good faith” analysis under 440.4702(2).
Overall, we will continue to monitor where this case is going and will provide updates at the website as the situation develops.
EMI v. Comerica: Comerica's Motion for Summary Judgment
Back in February 2010, we reported on an online banking lawsuit filed by by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”). As you might recall this case involved a successful phishing attack that allowed the bad guys to get the EMI’s online banking login credentials and wire transfer about $560,000 from EMI’s account (the original amount was $1.9 million, but Comerica was able to recover some of that). The bad guys were able to foil Comerica's two factor token-based authentication with a man in the middle attack. Comerica did not reimburse EMI for the loss, and this lawsuit resulted. In April 2010, Comerica filed a motion for summary judgment in order to dismiss the case. The motion has been fully briefed by both sides, and this blogpost looks at the arguments being made by the parties (you can find EMI’s response brief here and Comerica’s reply brief here).
P.S. I have linked to some of the key documents and have not included all of the supporting exhibits. I have all of the exhibits supporting all of these briefs, including relevant contracts and guides. If you want them all, please contact me at dnavetta@infolawgroup.com and we can arrange something.
Background
This matter revolves around a couple sections of Michigan’s version of the Uniform Commercial Code, in particular MCLA 440.4702(2), which provides in relevant part:
(2) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted. (emphasis supplied)
MCLA 440.4702(3) explains how “commercial reasonableness” is to be determined under MCLA 440.4702(2):
(3) Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated. A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer. (emphasis supplied).
Finally, the definition of “security procedure” under MCLA 440.4701 is relevant in this context:
“Security procedure” means a procedure established by agreement of a customer and a receiving bank for the purpose of: (i) verifying that a payment order or communication amending or cancelling a payment order is that of the customer, or (ii) detecting error in the transmission of a the content of the payment order or communication. (emphasis supplied)
In short, what these laws do is assign the risk of loss with respect to payment orders that may not have been actually initiated by the customer. Even if a payment order is initiated by a criminal that payment order will be deemed effective under the law as long as the requirements of MCLA 440.4702(2) are satisfied. If those requirements are satisfied, the losses may fall on the banking customer rather than the bank (at least with respect to this particular law – there may be other theories of liability that could apply).
Comerica’s Motion for Summary Judgment
The following summarizes the main arguments put forth by Comerica in its motion for summary judgment ("MSJ").
- Comerica’s security procedure was commercially reasonable as a matter of law.
Comerica had established two-factor authentication using RSA secure token technology for its online banking. In order to access its online banking account EMI was required to input a user ID, password and PIN number generated from the RSA token(s) posesed by EMI (the PIN is randomly generated and changed every sixty seconds). Comerica maintains that EMI agreed that this security scheme was commercially reasonable. Support for this contention is found in the NetVision Wire Transfer Agreement entered into by EMI, which provided:
Customer [EMI] agrees that the selected Security Procedures are commercially reasonable for the type of entries which Customer may transmit to Bank, and Customer shall hold Bank harmless for any action taken in reliance upon the use of the Security Procedures.
Comerica also argues that 2-factor authentication is the same security it uses for its high volume wire transfer customers (i.e suggesting that it was providing more security than would normally be afforded to a low volume customer like EMI).
Key to its argument is the language of MCLA 440.4702(3)(i) italicized and bolded above. Comerica argues that it offered EMI the ability to require up to two users to confirm every wire transfer payment order made by an EMI employee (the evidence for this offer is an affidavit from a Comerica VP indicating that she told EMI’s online account administrator about this security option). Following the relevant language in MCLA 440.4702(3), Comerica argues that EMI was offered this security option, but refused it, and therefore the two-factor authentication that EMI used is automatically “deemed” commercially reasonable.
- Comerica followed the security procedure EMI agreed to use and acted in good faith
Comerica argues that there is no evidence suggesting that it failed to follow its security procedures consistent with MCLA 440.4702(3)(ii), and it maintains that it acted in good faith accepting the fraudulent payment orders. Specifically, Comerica indicates it followed the two-factor authentic procedure that had been established. It also uses this argument to support its position that it acted in good faith. In addition, Comerica points to the assistance it provided EMI in recovering a large portion of the transferred funds as evidence of its good faith.
- EMI admitted it was the source of the security breach
Comerica also argues that EMI was responsible for keeping passwords and PINs confidential, and that its actions resulted in the breach when it provided the information to the phishing attacker. To support this argument, Comerica sites a comment to UCC section 4A-203 which states:
The burden on the customer is to supervise its employees to assure compliance with the security procedure and to safeguard confidential security information and access to transmitting facilities so the security procedure cannot be breached.
EMI’s Response to Comerica’s Motion for Summary Judgment
EMI sets forth several arguments as to why it believes that summary judgment is unwarranted. As a reminder, the general rule is that motion for summary judgments should be granted only if there is no genuine issue as to any material fact (such that judgment is appropriate as a matter of law). Focusing on MCLA 440.4702(2) and the definition of “security procedure” under MCLA 440.4701, EMI sets forth four arguments contending that genuine issues of material fact do exist (making summary judgment inappropriate).
- EMI never agreed to the RSA Token security procedures, therefore they are not “security procedures” as defined under MCLA 440.4701
MCLA 440.4702(2) only applies to “security procedures” as defined under MCLA 440.4701. EMI contends that it never agreed to the RSA token security procedures, and therefore MCLA 440.4702(2) is not applicable.
This argument rests on the allegation by EMI that Comerica switched wire transfer services, and EMI never agreed to the security procedures for the new services. EMI argues that it had entered into an agreement for NetVision Wire Transfer Services in November 2003. As mentioned in Comerica’s MSJ, EMI signed the agreement for NetVision services that included a specific agreement by EMI that Comerica was using commercially reasonable security. The authentication security for NetVision was a “digital certificate” process.
However, in May 2008 Comerica apparently changed to “TMC Web wire transfer services,” which used the RSA token security. EMI contends that it never entered into a written agreement for the new TMC Web services, never agreed to the RSA token security, and never agreed that such security was commercially reasonable. EMI also argues that it was not a signatory to various other documents referenced by Comerica, including an online banking user guide and Comerica’s Treasury Management Services Master Agreement (both of which provided more information concerning Comerica's security procedures).
Finally, EMI disputes Comerica’s contention that EMI’s use of wire transfer services constitutes acceptance of the RSA token security procedures. According to EMI, it actually never sent a wire transfer using the TMC Web wire service that utilized the RSA token security, and therefore it never accepted this security procedure. Since the RSA token security was never “agreed to” by EMI, it contends that MCLA 440.4702(2) does not apply or shift the risk of loss to EMI, and that Comerica is responsible.
- Genuine issues of material fact exist as to whether Comerica’s RSA token security was “commercially reasonable”
EMI disputes Comerica’s contention that the RSA token security should be deemed reasonable under MCLA 440.4702(3). As summarized above, under that section if a customer refuses a security procedure that was commercially reasonable, but the customer agrees to another security procedure, the latter procedure is deemed commercially reasonable. This is basically a timing argument supported by dueling affidavits.
EMI claims that, at the time the TMC Web wire service was initiated, it was never advised that it could require approval from two authorized users prior to wire transfer, nor did Comerica offer additional security procedure options in connection with TMC Web services. This argument also rests on the prior EMI argument that it never entered into an agreement concerning the security of the TMC Web wire services in the first instance.
EMI then takes on the substance of "commercially reasonable security" using expert witness testimony. EMI’s expert contends that secure token technology was known to be lacking in any reasonable defense to a “man-in-the-middle” phishing attack. EMI’s expert opines that secure token technology has been unacceptable for banking logins since 2003. EMI’s expert also argues that Comerica’s particular implementation of this security was flawed based on prior practices of Comerica. In particular, with respect to the Netvision wire services that predated the TMC web wire services, Comerica allegedly regularly sent EMI unsolicited emails that lead to links requesting confidential login information. Essentially Comerica's prior practice caused EMI personnel to be off guard when the phishing attack came in.
EMI also takes issues with the warnings that Comerica sent out concerning phishing attacks. It points to Comerica’s April 28, 2008 communication in which Comerica indicated that it would never ask for confidential information in an email. EMI contends that the very next day it received an email from Comerica asking EMI to provide confidential login information.
Finally, EMI argues that the RSA token based security used by Comerica was not commercially reasonable because Comerica did not also implement security protection related to transaction verification and verifying wire transfers initiated after the initial login. In other words, EMI contends that an online banking system that allows unfettered wire transfers after a single successful login is not commercially reasonable. Had the token generated PIN been required for each wire transfer (e.g. the RSA token generates a new random number every sixty seconds), then the bad guys would have been stopped after the first fraudulent wire transfer (instead of being able to do 93 separate wire transfers for a total of $1.9 million).
- Genuine issues of material fact exist as to whether Comerica accepted payment orders in good faith and in compliance with the security procedures
EMI first argues that Comerica failed to accept the payment orders in good faith because it allowed 47 wire transfers to happen within a few hours even though EMI had only made two wire transfers in the prior two years. Moreover, EMI argues that Comerica’s lack of good faith is evidenced because it allowed 46 wire transfers to go through after EMI notified Comerica that EMI had not initiated the transfers. EMI also maintains that the failure to implement a simple fraud scoring system or fraud monitoring program to stop these types of wire transfers was evidence of a lack of good faith.
Comerica’s Reply to EMI’s Response
Comerica also filed a reply brief to address the arguments set forth in EMI’s response to the MSJ. This section summarizes Comerica’s arguments.
- The NetVision and TM Connect Web wire services were the same service governed by the 2003 NetVision contract
Comerica attempts to nullify EMI’s argument that it never entered into an agreement for security procedures related to TM Connect Web wire services. It contends that NetVision and TM Connect are the same systems. Comerica argues it simply changed the name of its online banking system. Comerica argues that the “Services” governed by the 2003 NetVision contract were the same and that all of EMI’s online transactions were subject to that contract. Comerica notes that the NetVision contract incorporates Comerica’s Treasury Management Services Master Agreement and a related user guide which Comerica uses to buttress its MSJ.
The NetVision contract also allows Comerica to update its security procedures, and indicates that after notice is provided by Comerica to EMI, EMI’s use of the services constitutes acceptance of the new security procedure. While EMI did not use wire transfer services until after NetVision changed its name to TM Connect Web, it had received wires from outside parties. Comerica contends that EMI’s continued receipt of wire transfers it its account constitutes use of the services and acceptance of the RSA token based security procedures for outgoing wire transfers. Of course EMI's acceptance is crucial if Comerica wants to rely on the risk-transfer mechanism set forth in MCLA 440.4702(2).
- Under MCLA 440.4702(3) the issue of the “commercial reasonableness” of a security procedure is a question of law, not fact
On this issue, Comerica points to the explicit language of MCLA 440.4702(3) which indicates that “commercial reasonableness of a security procedure is a question of law.” As such the court can decide that issue on a motion for summary judgment. Comerica contends that EMI acknowledged that Comerica’s security procedures were commercially reasonable in the NetVision agreement, making appropriate summary judgment in Comerica's favor.
- Comerica followed its procedures and acted in good faith
Comerica contends that it followed the procedures in place for online banking and denies that other procedures, such as requiring the initiation of wire transfers by phone call, were relevant. It attempts to counter EMI’s arguments concerning good faith by noting that it was not physically possible to stop some of the wire transfers after EMI informed Comerica that those transfers were not authorized. Moreover, Comerica argues that when it was able to stop or recall wire transfers it did so despite not being bound to do so, and ultimately decreased the loss from $1.9 million to $560,000.
Finally Comerica addressed EMI arguments concerning prior Comerica requests for confidential information via email. It argues that those emails did not send the user back to a Comerica website, but rather to a website hosted by their security vendor, Verisign. Secondly, the information that was requested was not online banking login credentials, but rather an ID/PIN sent each year for the sole purpose of renewing EMI’s digital certificate. As such, Comerica’s warning that it would never ask for online banking credentials via email was not untrue as EMI suggested.
Conclusion
These cases always get interesting when a little discovery ensues and the litigants begin digging into the relevant documents and contracts. As you can see, there is a lot going on here that has little do with actual security, and more to do with procedural issues around security acceptance, contracting and the UCC. Nonetheless, on some level the issue of commercially reasonable security will have to be addressed (either by the court on this motion for summary judgment) or later in proceedings by the ultimate trier of fact.
What can be gathered from this case and this MSJ is the importance of contracts in this context, and apparently the importance of contract timing issues and clear indications of “accepting” security procedures related to online banking. While there is a paper trail here with some favorable contract language, the record does look muddied, and this can make it more difficult to win at this stage of litigation. Had the bank thought it through in more detail it probably could have created a more solid record to back its arguments. For instance, while contracts incorporating other documents that are constantly changing may be efficient, they may lack the same degree of acceptance as compared to requiring a new contract or other document certifying acceptance. Based on the dueling arguments, it is difficult to determine exactly where the court will come down on this motion for summary judgment. I believe that oral arguments are scheduled and thereafter we will get a written opinion from the court. Until then, have fun breaking these documents down and feel free to ask any questions you may have in the comments.
