Reimbursement of funds lost in an attack on an online account can be pursued against the bank operating the account.
In the last couple of years we have seen in our legal practice a great increase in the number of cases related to cybercrime (an issue we discussed in the firm Yearbook, at pp. 7–9). Many cases involve attacks on Internet bank accounts from which criminals steal money, mainly using “phishing” methods, sometimes cleaning out customers’ life savings.
Attacks on online bank accounts
The methods used by the perpetrators of these attacks are varied, but there is a common theme to many of the attacks. The perpetrators use deceit to gain access to data used to log onto the user’s online account. To this end they may send the user a forged e-mail, supposedly from the bank, with a link to a fake site where the victim enters his or her login data, believing that it the bank’s genuine site. Sometimes the user’s computer is infected with malware that captures the security information for transactions. Then the criminals, often operating abroad, use this information to transfer funds from the user’s account to various other bank accounts (generally established in Poland by “straw men”), in a number of tranches.
Whom to seek a refund from?
The owner of an account who learns that the money is gone should immediately complain to the bank. But often the bank refuses to uphold the complaint. Sometimes the bank asserts that the user’s behaviour or negligence allowed the data to be intercepted and the transactions to be carried out. Then the event should also be reported immediately to the police. Regaining the funds from the perpetrators through a criminal proceeding may be attempted. But given the evidentiary difficulties and the low probability of identifying the perpetrators and regaining the funds from them, an alternative or additional measure may be to demand reimbursement of the lost amounts, with interest, from the bank operating the attacked account. Based on our own practice and the latest case law, this may be effective.
Latest case law from civil courts
The effectiveness of this route has been confirmed within the past year in at least several judgments issued by Poland’s civil courts (although some of the judgments are not yet legally final).
In judgments of 15 January 2016 (Case I C 307/15) and 2 February 2016 (Case I C 1908/14), the Łódź Regional Court ordered a bank to reimburse plaintiffs PLN 100,000 and PLN 90,000 respectively, plus interest. Both of those judgments are already final, and the bank did not appeal. The facts were similar. The plaintiffs received a message telling them they had to download additional software to secure their banking transactions. They installed the software, which began to automatically intercept their SMSs, giving the criminals access to their single-use codes for authorisation of transactions in the bank’s online service.
In the judgment of 28 September 2015 (Case II C 383/15), the District Court for Łódź-Śródmieście ordered another bank to reimburse the plaintiff nearly PLN 20,000 plus interest. This judgment is not yet final. The plaintiff there made many attempts to log onto her online account. She entered the login and password, but the page froze and she received a message that she could not connect to the bank. The site also displayed instructions to type in a code from a list of single-use codes for authorisation of transfers. The plaintiff provided the code at least twice, and it was probably used later by fraudsters to clean out her account.
In the judgment of 15 January 2015 (Case I C 2504/14), the District Court for Warsaw-Śródmieście ordered the bank to reimburse the plaintiff nearly PLN 20,000 plus interest. This judgment is also not final. There the plaintiff installed a smartphone app for mobile banking which, it turned out, contained malware, which the perpetrators used to make unauthorised transfers.
Despite certain differences in the factual patterns and evidence, all of these rulings share common elements. First, in all of the cases the transactions resulting in stealing of funds from the accounts were found not to have been authorised by the plaintiffs. All of the plaintiffs had promptly notified the bank of the unauthorised transactions. Second, in all of the cases the courts found that the banks had not provided individual security for payment instruments protecting them against access by persons other than the authorised user. Third, it was not found in any of the cases that the plaintiffs’ own actions had caused the unauthorised transactions, intentionally or through gross negligence. This in turn led the courts to hold the banks liable for making transactions under the Payment Services Act which were not authorised by the payor.
Bank liable for unauthorised transaction
In most of these cases, the courts stressed that the bank is a professional entity whose duties are specified by, among other laws, Art. 43 of the Payment Services Act and Art. 50(2) of the Banking Law. In the simplest terms, these regulations impose an obligation on the bank to secure payment instruments and to exercise special care in ensuring the safety of the funds entrusted to the bank. Unauthorised removal of funds from accounts means that the banks did not comply with this obligation. The rulings also pointed to the lack of appropriate banking security measures—e.g. failure to verify the IP addresses from which the user logged onto the account, failure to assign the user to the country from which the person logs in, lack of telephone verification if the person logs in from a different country than usual, failure to use software performing a statistical analysis of the operations in the client’s account, and also that the anti-fraud programming that was used by the bank did not identify anomalies in the customer’s banking activity and did not generate an alert despite multiple operations exceeding a specific amount within a short time. In most of the cases the banks sought to defend themselves against liability by seeking to admit evidence from an IT expert to show that the measures used to secure electronic transactions were proper. Interestingly, the courts held that such evidence was unnecessary, and no special knowledge was required, as it was obvious to the court that under the circumstances, if the banks had used the right security measures, the transactions by unauthorised persons would not have gone through.
Unauthorised transactions and customer fault
In all of these cases, the banks generally pursued a similar line of defence, attempting to escape liability under Art. 46(3) of the Payment Services Act. They asserted that under the facts of the cases, the payors (the plaintiffs) were responsible for the unauthorised transactions because they intentionally or through gross negligence provided access to their log-in data and violated the duties referred to in Art. 42 of the act, thus causing the loss.
But the courts did not uphold this line of defence. They found that the plaintiffs were justified in their belief in the authenticity of the websites, messages and software that gave the impression of coming from their banks. The courts also pointed out that the contracts with the banks did not provide any specific requirements for the security measures which Internet banking customers should follow. The bank’s liability was not excluded by security warnings on the bank’s website or on the log-in page for the account. If the customer ignored such warnings from the bank, the court would treat that as at most an oversight caused by a lack of interest in reading the warnings. Such behaviour could not be treated as even ordinary negligence, much less gross negligence or intentional conduct.
Although some of these judgments are not yet legally final, they do seem to lay down the beginnings of a certain line of decisions by the courts which is advantageous to the victims of fraud, while also providing a realistic response to the increasingly common practical problems of combating cybercrime. Clearly, the decisions may differ depending on the specific state of facts. It is nonetheless a positive signal that the debate over instruments to be used in the battle with cybercrime extends beyond technical measures, but also includes legal instruments and is being addressed in the civil courts.
Lena Marcinoska, New Technologies Practice, Wardyński & Partners
The article is a part of the New Technologies Newsletter, May 2016