For banks in cyber heist, how to get their money back?
While details of what happened are still sketchy, experts said the banks could bring claims against the processing companies in court.
May 12, 2013 4:33 by Reuters
MasterCard has said it cooperated with law enforcement in the investigation and said its systems were not compromised in the attacks.
The banks can still try to sue the processors for negligence or other claims, but their success may be limited by their contracts, which include regulations that lay out specific fines and dispute resolution procedures mandated by the credit card companies.
Such lawsuits have proven difficult to win, according to Joseph Burton of the law firm Duane Morris in San Francisco, an expert in financial litigation. U.S. federal courts have generally, but not unanimously, found that banks are restricted to contractual remedies.
In one major case, card-issuing banks filed a class action against Heartland Payment Systems after the processor announced in 2009 that a hack had compromised the data for more than 100 million credit cards.
A federal judge in Houston, Texas, dismissed almost all of the claims in 2011, finding that the banks were bound by their contracts, which included regulations set by Visa and MasterCard that govern how banks can seek relief after a breach. The banks’ appeal is pending.
Bank of Muscat and RAKBANK could also seek payment from their insurers under their general policies.
Some banks also have additional security coverage for cyber crime, although experts said the market for such policies is still relatively immature. It is not known if Bank of Muscat or RAKBANK carried cyber insurance.
The insurers, in turn, could also press claims against the processors, or the processors’ own insurers.
“It’s certainly possible that the bank could be left holding the bag,” said Frederick Rivera of the law firm Perkins Coie, an expert in financial services litigation in the United States.
A complicating factor is that the banks are located in the Middle East, while one of the processors is based in India, making it unclear which courts would have jurisdiction over any litigation. But experts said the requirements that credit card companies impose on banks and processors are global in nature.
Federal prosecutors will also seek restitution for the banks from the defendants arrested in the case, though the amount of funds available likely won’t approach the total amount of stolen money.
The U.S. Justice Department indicted eight people it said had withdrawn cash in New York, and prosecutors had seized hundreds of thousands of dollars in cash and bank accounts, along with luxury watches and a Mercedes sport utility vehicle. But the New York cell was just one part of a coordinated global heist in which $45 million was withdrawn from cash machines in 27 countries on Dec. 21 last year and Feb. 19 this year. U.S. prosecutors have not said where the ringleaders of the gang were based.
The prosecutors said the gang targeted prepaid debit cards issued by the two banks, using hackers who broke into the payment processing company to raise account balances and withdrawal limits for the cards.
The heist did not compromise the accounts of any individual customers, unlike in cases of identity theft. In those cases, customers are typically made whole by their financial institution or credit card companies, which in turn seek to be made whole by the company that was breached.
Pages: 1 2