NEW YORK (MainStreet) If a small business's bank account is emptied out by a cyber criminal, the loss is on the business.
That's the chilling takeaway from a recent Eighth Circuit Court of Appeals decision in a case named Choice Escrow v. BancorpSouth that involved a $440,000 loss for Choice Escrow.
Also See: Top 5 States for Small Business
The court essentially ruled tough luck.
And banking experts are insisting this is a ruling that ought to terrify every small and mid-sized business.
"This is a wet towel in the face of small business," Steve Lee, a Los Angeles lawyer, told Mainstreet. He pointedly added: "Hey, wake up, why do you expect to be protected the way banks protect consumer accounts? Businesses bank at their own risk."
Lee is right, Banks, in almost all cases, will make consumers whole when their accounts are robbed by cyber criminals. Not so businesses, which are protected (or not) under different laws and regulations.
Those protections - per the Eighth Circuit Court of Appeals ruling - look increasingly slim.
"Banks need to clearly state the risks," said Vincent Berk, CEO of Lebanon, N.H. network security company FlowTraq. "The risks are not clear to small businesses."
Berk's point: small and mid-sized business believe banks have their back when it comes to protecting them against cybercriminals who, by any measure, are increasingly sophisticated.
But, often, banks don't have their backs and courts now are saying that is as it should be.
This matters because a favorite target of cyber crooks, increasingly, are small and mid sized reasons, for two reasons. Often there is a significant amount of cash in their accounts and, in most cases, the business is so busy taking care of business it has put no resources into its cyber security.
That means it is prime for the plucking.
And this means you, if you own a small business, even a humble one woman yoga studio or you are an Uber driver or a busy Airbnb operator. A NASDAQ listing is not required to tempt cyber crooks.
Vulnerability and some cash on hand are plenty.
The Choice Escrow case makes this abundantly clear.
The facts of the case are plain. Hackers stole the Missouri based title company's log in and proceeded to send a $440,000 wire transfer to, first, a Bank of New York account. From there, it was shipped to an account in Cyprus. That money disappeared in the wind. BancorpSouth enlisted the help of the FBI, the State Department and the U.S. Embassy in Cyprus but to no avail.
The wire was payable to Brolaw Services. Ltd., about which nothing is known.
BancorpSouth, based in Tupelo, Miss., cited state law as well as federal law and concluded that it was not on the hook for the $440,000.
At the heart of the case is that BancorpSouth offered Choice Escrow a beefed up security protocol for wire transfers -- which are a preferred vehicle for international cyber criminals because large amounts of cash can be moved, instantly, out of business accounts. The preferred route traditionally is - as seen in this case - a first stop at a domestic bank, which triggers few suspicions. Then the money instantly hops to a foreign bank, often in a nation where the US has few or no reliable banking connections. Money sometimes can be clawed back from banks in Germany, the United Kingdom, or Japan. Once money hits a Russia, a Belarus, or, apparently, also Cyprus, that money is gone.
Back up a few steps. In November 2009, a Choice employee - having read an alert about foreign wire fraud - asked BancorpSouth if a restriction could be put on international wires.
The bank responded that wasn't possible, but it suggested instead that approval from two Choice employees - in a process called Dual Control - be required before a wire is transmitted.
Choice declined that option, noting that often only one approver was in the office and "that would be really tough," wrote a Choice employee.
Earlier, in May 2009, Choice had signed a waiver where it noted it had been offered and it had declined Dual Control.
After it suffered its loss and BancorpSouth refused to restore the monies, Choice eventually filed suit, claiming that BancorpSouth's reliance on password based wire approvals was not good enough and, in fact, fell short of federal requirements expressed in guidelines issued by the Federal Financial Institutions Examination Council (FFIEC).
In March 2013, a district court in Missouri ruled against Choice.
Now the Eighth Circuit Court of Appeals - based in St. Louis and covering a territory that includes Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota, and South Dakota - has affirmed the lower court ruling and, in effect, told the small business, Choice, that its loss was its own fault.
Adding insult to injury, the Appeals Court also indicated Choice could also be liable for BancorpSouth's legal fees.
Multiple experts told Mainstreet that this double-barreled ruling likely will result in many fewer lawsuits filed by business victims of cyber crime against their banks. It also may prompt more banks to decline to make their business victims whole,
Stan Orszula, a lawyer with Chicago firm Quarles and Brady, noted that, technically, that decision sets a precedent only in that circuit. But he said he expected it might well have wider adoption. He added: "they [Choice Escrow] should have had additional controls. The court decided right."
The bottomline for small and mid-sized business: you are on your own in dealing with your bank. Expect no protections, you won't be disappointed.
--Written by Robert McGarvey for MainStreet