I read this blog post by Brian Krebs (who btw has deep insights into computer security issues) and at first blush I thought it was ridiculous that a bank would not only have the audacity to sue its customer after losing the customer’s money but would also ask the court to rule that its security procedures were compliant.
On further reflection, I started to think about the duty owed by the bank to its customers and the duty of a customer to keep his/her computer, passwords, personal information, network etc secure. The rights and responsibilities of a bank towards its customer in traditional banking models have evolved over many decades with courts and legislation fine tuning with the banks generally having the onus of protecting their customer,
I don’t believe that the law can ever match the specificity of each and every exploit and breach because of the pace of technology and daily efforts to devise new ways to exploit any vulnerability, human or otherwise. There are vulnerabilities in any network but the end user, bank or customer, is also personally susceptible to being exploited. Hence the trend towards social engineering ie phishing to extract your personal information. We all want to see <insert name of latest celeb> nude don’t we?
Laws should be written in sufficiently broad (but not in too broad terms) to capture the essence of the wrong doing and the courts should be able to interpret the law to fit the specific scenario.
I wonder whether different standards of responsibility should apply to individual consumers versus businesses. Should a small business expect to have the same network security as a multi-national bank?
At the end of day, it really pays to read the terms of use if you intend to undertake online banking. However it is more likely to snow in hell than being able to get a bank to modify its terms of use. But at least you will know where you stand.
Coming back to the headline, with due respect to the court, I don’t think the court can or even should be in the role of determining whether a computer network meets certain security standards. I don’t think computer security experts can even agree on this. But it is an aggressive move by the bank to shift blame for the loss to the customer. Let’s see how this plays out.
No comments:
Post a Comment