What If Your Online Bank Account Is Hacked? Are You Stuck?

Darrell Delamaide


August 02, 2012


A modern nightmare: Your bank account is hacked and emptied through unauthorized transfers. Will your bank make you whole? It depends.

Is it covered by the Federal Deposit Insurance Corporation (FDIC)? Nope. Should you worry? Probably.

Cybertheft of banking and brokerage accounts is growing more sophisticated as hackers increasingly target small businesses as well as retail clients. Physicians need to be aware of the risks and liabilities from these attacks, both for their personal and professional accounts.

How Bank Accounts Get Wiped Out

Most people appreciate the convenience of online banking -- the 24/7 access from the comfort of home or office and taking care of transactions with a couple of clicks -- but it also introduces new risks. Criminals located anywhere in the world might be able to obtain the personal information that enables them to be you online and carry out transactions with your money as if they owned it. What happens next depends on several things, and these are things you should pay attention to.

Regulators and the banking industry have developed fairly uniform methods for protecting depositors in case of bank failure, with deposit insurance or normal bank theft with banker's blanket bonds. But there is no uniformity yet on how to deal with cybertheft.

Bank and securities regulators do have rules about when and how financial institutions must report a breach of their own cybersecurity to clients. However, the actual liability for lost funds depends on the contracts signed by the customer in opening an account.

Many of the bigger banks, such as JPMorgan Chase, guarantee full reimbursement if their security is breached. Still, this is not uniformly the case, and many bank customers have had to go to court to try to recover their funds.

Even more problematic are cases in which an account is hacked because the personal information has been obtained from your computer owing to lack of adequate security or precautions on your part. Some banks are treating this like leaving your purse unattended or having your wallet pickpocketed -- "Sorry for your loss, but you should have been more careful."

Who's Responsible for Your Account Breach?

According to Chris Loeffler, a cybersecurity expert at the law firm of Kelley, Drye & Warren LLP in Washington, DC, the fundamental question is, "Where is the hack?" If, for instance, someone with authority over the account responds to a "phishing" attack -- where the hacker poses as the bank or the Internal Revenue Service, for instance -- and releases credentials, "it gets a little problematic," says Loeffler.

"Like any business, a physician's account has the responsibility to maintain proper levels of security," says Doug Johnson, the vice president for risk management at the American Bankers Association. These normally include appropriate levels of authentication, antivirus software, and dual control of the account.

The Uniform Commercial Code, which is binding on physician practices as on all other businesses, requires "commercially reasonable" measures. But just what that term means in the context of cybertheft is still debatable.

If it's clear that the financial institution is where the breach occurred, Johnson says, then the bank has the liability. If the liability is on the side of the customer, or if there is a breach of security on both sides, then reimbursement becomes a matter of negotiation or even litigation.

Is There Strange Activity in Your Account?

One gray area that has not been fully litigated is to what extent the bank is responsible for monitoring unusual activity in an account and alerting the customer.

"There are new requirements at the federal level about transaction monitoring," acknowledges Doug Johnson.

The question, says Chris Loeffler, is who is in the best position to monitor the account and to what extent the client has responsibility in this area. "There is not a bright line on this issue right now."

The difference between identity theft involving credit cards and that involving bank accounts is that the customer sustains an immediate hit when a bank account is pilfered, notes Loeffler. "You are out those dollars immediately," he says.

Bank accounts are insured by the FDIC up to $250,000, but only in the case of bank failure -- and only for actual bank deposits, not for other products, such as money market funds, that might also be on deposit in the bank.

Some of these other products -- for example, securities on deposit at a brokerage house -- may be covered by the Securities Investor Protection Corporation (SIPC), another federal agency that reimburses clients for securities lost up to $500,000 when a firm fails. (Obviously, the insurance does not cover any loss of value in the securities, only the loss of the securities themselves when they are held by a failed firm.)

But these federal agencies do not insure for loss from cybertheft. The FDIC Website says, "If a third party somehow gains access to your account and transacts business that you would not approve of, you must contact the bank and your local law enforcement authorities, who have jurisdiction over this type of wrongdoing." In other words: You're on your own -- good luck.