A U.S. court has decided that a bank whose client lost money because someone hacked into its account and transferred funds out of it, was not liable to the client because the bank had used ‘commercially reasonable’ security. The case is described on the Goodwin Proctor website. The lengthy decision of the Judge Magistrate in Patco Construction v People’s Bank, later upheld, is available online. .
Is this the right standard of care for negligence? Does it matter that the bank is regulated strictly under the Bank Act? Does it matter that the U.S. bank could rely on Article 4A of the Uniform Commercial Code (on electronic funds transfers), which has no equivalent in Canada?
‘Commercially reasonable’ security clearly does not mean unbreakable security. How else should one draw the line to set a fair allocation of risk between bank and client?