One of the issues we discussed regarding the proposed cybersecurity bills in the Senate was the question of a regulatory system to identify best practices and require them for critical infrastructure. I was then, and remain, skeptical of the idea. One reason for my criticism was (and remains) my belief that in the long run, a civil tort/contract liability system will develop that will work more effectively and flexibly -- imposing costs on those who stint their cybersecurity efforts in an unreasonable manner. Today, Wired's Kim Zetter reports the first instance (at least the first that I know of) where a commercial institution (in this case a bank) has actually paid out a judgment ($345,000) to an account holder who had been hacked. As Zetter reports:
In a case watched closely by banks and their commercial customers, a financial institution in Maine has agreed to reimburse a construction company $345,000 that was lost to hackers after a court ruled that the bank’s security practices were “commercially unreasonable.”
People’s United Bank has agreed to pay Patco Construction Company all the money it lost to hackers in 2009, plus about $45,000 in interest, after intruders installed malware on Patco’s computers and stole its banking credentials to siphon money from its account.
The underlying decision by the First Circuit, Patco Constr. Co. Inc. v. People's United Bank (1st Cir. July 2012) concluded that the Bank's reliance on password authentication and its decision to ignore certain transaction based flags (which had highlighted an unusually large off-shore fund transfer) was not good commercial practice. That's almost certainly correct and also almost certainly the right way to develop cybersecurity performance standards -- through a close, fact-bound and developmental process.