This isn’t the first time that I’ve talked about the notion of “zero liability” and the false sense of security it can create about victim responsibility and liability if money is removed from their accounts in a cyber attack.

Most financial institutions now offer some form of zero liability that promises to quickly reimburse any funds stolen by cyber thieves. But we’re now seeing a growing number of financial institutions back away from that promise, dig their heels in, and refuse to pay up for losses.

According to a story in the Marin Independent Journal, in April 2009 more than $500,000 was stolen from the bank accounts of the local sanitary district, apparently all done online by cyber thieves.

The bank quickly recovered $162,000 but the thieves managed to disappear with the rest. And while the bank agreed to repay some of the remaining stolen funds, they refused to refund $180,000. There goes your zero liability.

And banks can use many excuses or reasons to refuse to honor their promise. For example, many banks don’t offer zero liability to business accounts – they’re not required to by law anyway. They can argue that a business should know better and therefore have its own security mechanisms in place. Or maybe the thief was a trusted employee within the business and so the bank can pass the blame to the victim.

Whatever its reasons, in this case the bank simply refused to reimburse the victim the remaining amount stolen. So the sanitary company sued, claiming that while the bank did have rudimentary security mechanisms in place, it lacked the more sophisticated security measures that might have prevented this attack in the first place.

18 months later the bank finally relented, and without admitting any liability, agreed to pay back the final $180,000 or so.

If the victim in this case did not have the advantages of money and lawyers to take on its own bank, it probably would not have recovered any of its stolen funds.

Lessons learned?

• I’ve said it many times – zero liability does not mean zero responsibility or zero loss. So don’t always count on your financial institution to make you whole.
• Keep as little money as you need in your checking account. Any excess funds should be kept in a separate account that has no Internet transfers allowed.
• Check your computer regularly to make sure it’s not hiding malware like Trojans that could steal your online passwords.
• Tale all the security measures you can to protect your online banking, and document them, so if your bank accuses you of being lax about security, you can prove otherwise.

Related Story: Bank of Marin, Novato Sanitary District settle on cybercrime case
http://www.marinij.com/marinnews/ci_15881881

Related posts:

1. IN THE HEADLINES: Why You Can’t Always Depend on Zero Liability