An extremely unhappy customer is suing a People’s United Bank subsidiary, claiming the bank’s inadequate security is to blame for the electronic theft of more than half a million dollars from its account.

The customer, Maine-based Patco Construction Co. Inc., says People’s subsidiary, Ocean Bank, allowed a cyber thief to siphon off the money over an eight-day period without alerting Patco of suspicious account activity. Ocean Bank recovered or blocked about $243,000 of the withdrawn money, but the company still lost about $345,000.

But the thief also overdrew from Patco’s account, so the bank tapped into Patco’s line of credit, to the tune of $223,000. Now the bank is charging the company interest on that money.

People’s United has a number of divisions in Massachusetts, including Flagship Bank in central Massachusetts and the Bank of Western Massachusetts.

It’s Different For Businesses

“This is typical of the ‘circle the wagons’ posture Ocean Bank has adopted in response to this situation,” according to the lawsuit, saying the interest charges added insult to injury for the damaged company.

Cyber security and data protection is an oft-discussed topic, but it usually focuses on retail customers. Patco’s lawyer, Daniel J. Mitchell of Maine-based Bernstein Shur, said business-versus-bank versions of this problem rarely make it to court.

A central issue of the case is defining banks’ responsibilities in terms of protecting business customers’ money – at what point is security flimsy enough to be called negligent? Further, the case grapples with the question of how much responsibility the bank ultimately takes over its customers’ money.

The lawsuit was filed on Sept. 18, a few days after a People’s United vice president received the Information Security Executive (ISE) Northeast’s People’s Choice Award Winner for beefed-up security in the wake of data security problems at the bank. In this case, however, the customer kept its money only with subsidiary Ocean Bank.

People’s United spokesman Brent Di Giorgio said the bank wouldn’t comment on pending litigation, but Mitchell says its defense has generally been to say that the business, not the bank, is responsible for its money. However, he added, it hasn’t made any official rebuttal to the business’ accusation.

Mitchell, for his part, is basing the lawsuit on the bank’s alleged violations of the Uniform Commercial Code, a law that synchronizes the law of commercial transactions across the country.

Under the UCC, the bank has a duty to protect its customers’ money, but the bank’s security was paper-thin – therefore, the bank was negligent and should refund that money in full, Mitchell said.

The UCC requires financial institutions have a “reasonable security procedure,” according to financial services regulation attorneys. The question the court has to answer is whether Ocean Bank’s security was reasonable.

But Kelly Trammell, managing director of Texas-based technology and risk consultant Sheshunoff, says the contractual agreements between bank and customer is a major factor. If the agreement places responsibility on the customer, the customer should try to prove gross negligence by proving the bank failed to meet industry norms for security.

“It’s a very difficult standard to prove gross negligence, but that’s the only way to arise above the customer agreement,” he said.

How ‘Sophisticated’?

According to the complaint, the bank tells customers that its online banking system employs sophisticated measures to monitor electronic transactions, but that security was in fact particularly vulnerable.

The money could be accessed with an ID and password for both the company and individual users – employees who were authorized to access the account had their own ID and password combinations, also – and two “challenge” questions.

“Conventional wisdom in the banking community today is that passwords alone are not adequate security for Internet fund transfers,” according to the complaint. Banks generally offer some form of token-based authentification, but Ocean Bank didn’t offer such protection.

On May 7, hackers began using the ID and password of a Patco employee to log into the account and initiate transfers from an IP address that Patco had never used. The transfer was the largest credit transfer ever from that account, it originated from an unfamiliar IP address and went to a number of unfamiliar accounts, but the bank didn’t see fit to alert Patco, according to the complaint.

Some of the money was directed to invalid accounts and so bounced back to the bank, which triggered a notice of rejected transfers via U.S. mail – however, that notice didn’t arrive at the business owner’s home until May 13. By then, the hackers had been steadily withdrawing money, and continued to do so even though Patco alerted the bank to its suspicions the morning of May 14.

The last fraudulent transfer of $112,000 went out on May 15, and by then the bank had drawn $223,000 from Patco’s line of credit without notifying the company, and it now charging interest on the loan.

Robert Bessel, spokesman for Avon-based bank technology services vendor COCC, said the company couldn’t delve into the details of Ocean Bank’s security, but said, in general, the company advises multi-layer defenses.

“Defense in depth” means that the bank assumes a clever or lucky cyber criminal will penetrate the first layer, he said.

Mitchell avers that Ocean Bank’s challenge questions were essentially just an extension of the ID/password layer.

“The questions provided little to no additional security,” according to the complaint.

Trammell thinks security questions like these will inevitably become the focus of legislation in the future. While credit and debit card transactions and relationships are much more solidly codified in the law, money transfers of this nature – through the Internet and mobile phone banking – aren’t as well defined.

But such security laws are likely to be on their way: “That may be the next wave,” he said.