Populist Politics
Forensics Disagreement | Web PR Levels Court-of-Law Playing Field
The web changes how public disputes are contested. Inexpensive web 2.0 publicity disrupts the balance of power.
Internet Bank Robbery - The Facts
After computer thieves stole [Krebs] $200,000 from the bank account of Hillary Machinery Inc., the company demanded reimbursement from its bank, PlainsCapital Bank.
The bank refused. Thus began one of the most gripping cases in the history of computer security law . . . and a lesson in how to use the Internet as a populist podium . . .
Apparently the investigation of the heist has not determined conclusively how the hackers succeeded in tricking the bank to transmit money out of the account. Each party believes the forensic investigation proves it is blameless.
The Law On Internet Bank Robberies
The legal relationship between Hillary and the bank is largely governed by Uniform Commercial Code Article 4A and the banking agreements signed between the parties. In a case like this, an essential issue is whether the bank employed commercially reasonable security procedures when it acted upon what purported to be electronic payment instructions from Hillary. The bank maintains that its security was reasonable, and therefore it need not reimburse the money.
As this dispute escalated, Hillary might have sued, possibly in Texas state court or possibly in federal court.
But the bank seized the legal initiative. It sued Hillary in federal court! The bank may have calculated that a federal court would review this complex, technical case more thoughtfully than a state court. So it preempted from Hillary the option to sue in state court.
From the federal court, the bank seeks an affirmation that its security was reasonable. In essence, the bank said Hillary had called into question the integrity of the bank's operations, and the bank is entitled to clear its name by way of litigation.
The bank is forcing Hillary to spend money on lawyers, quite possibly hoping Hillary will decide this quarrel is too expensive, too much trouble and will settle and shut up. From the perspective of traditional litigation strategy, the bank is probably in a stronger position because it can afford to spend much more on lawyers and technical experts to fight the case.
Internet as Populist Bullhorn
This is an unusual lawsuit. But it has taken an even more remarkable twist. Instead of cowering, Hillary has gone on the publicity warpath. On its primitive web page, Hillary complains noisily about the bank and its security.
It started working with other interested and knowledgeable parties, and is shouting from the virtual rooftops, “Can you believe this? Hackers stole $200,000 from my bank account, and then my bank sued ME!” That's one newsy sound bite.
Hillary has attracted quite a few news stories (including in the Dallas Morning News and the Denver Post), much of it favorable to Hillary. The most sensational is a TV report on Fox Business, which is posted on the web. Hillary of course points to many of these reports from its web site.
What's more, Hillary affiliates appear to be posting pointed comments on web discussion threads. When a popular Dallas news blog wrote an unrelated story about PlainsCapital, someone apparently associated with Hillary posted a comment saying (paraphrase) “Thieves stole money from our PlainsCapital account, and then PlainsCapital hauled us into court!” linking to the Fox Business video. [Another example: see the second comment, from Amanda, below this post.]
Someone who appears to be the spouse of a Hillary co-owner vocally discusses the case in an online forum, complaining about the bank and pointing to the media reports.
This controversy between Hillary and the bank now dominates the Wikipedia page about the bank. Can this be good for the bank?
In the public comments to a key blog article on the lawsuit, one observer sympathetic to Hillary finds that the bank has published a job posting for a wire transfer risk specialist. The observer suggests, yeah, they need someone with those skills! The actions of this "observer" (Is he or she affiliated with Hillary? A volunteer? Who knows.) give the impression that the public is rallying to Hillary's aid.*
The bank hasn't said much to defend itself in public. The bank's tight-lipped approach (“our lawsuit speaks for itself”) hasn't played well. There is no way all this chatter on the web has been good for the bank's reputation. The damage to the bank's image could far exceed $200,000.
Hillary is a reasonable-size mom and pop business ($35 million in 2008 annual sales). PlainsCapital ($4.4 billion in assets) is much larger. The bank's old-style approach – let our lawyers do our talking – seems to have enabled populist underdog Hillary to land some blows on its opponent.
Although many details about this case are known to the public, many are not. We don't know, for instance, everything about the security or insecurity of Hillary's computers or whether the bank had offered Hillary some additional security procedures that Hillary declined to use. (An example of additional security might be sms text messages to cell phones of Hillary officials as each and every event transpires within the bank account.) The bank may have a stronger story here than it has revealed so far.
Cyber Publicity is Faster Than a Lawsuit
But as things are going now, the bank may not have a good chance to tell its side of this cybertheft story. Internet-driven public opinion may solidify long before the bank can explain.
Talking on the web (Hillary's approach) is fast and cheap. Talking through lawyers in the courtroom (the bank's approach) is slow and expensive.
Publicity is different today than it was a few years ago. In the past, an unflattering report might appear on TV or in a newspaper, and then it was gone and few would remember. But media reports today live persistently on the web. Months-or-years-old reports can show up when prospective customers google “PlainsCapital Bank.”
This squabble is not over. But as of February 16, 2010, little Hillary seems to have exploited the web as an asymmetrical weapon against a larger adversary.
Update: Resolution May 2010
Hillary and Plainscapital settled their their lawsuit, and agreed to keep the terms confidential. The settlement came two days after the court rejected motions by Plainscapital that the case go to arbitration; Plainscapital apparently wanted arbitration because it felt a public trial was less likely to deliver it a net benefit. It is hard for me to conclude that this lawsuit was good for Plainscapital. The bank started the lawsuit. The bank's apparent goal was to clear its name and reputation. The bank did not achieve its goal.
–Benjamin Wright
Mr. Wright teaches IT security law at the SANS Institute, where he stresses how critical public communications (policies, notices, banners, warnings, contracts, subpoenas, interviews, social media, press releases, declarations in court and much more) are to effective cyber defense, negotiations and investigations.
* Gadzooks. Notice how easily a grumpy member of the public was able to dig up a choice detail about PlainsCapital (its job posting for a risk specialist) and link to it from a well-trafficked location with an unfavorable comment. The world did not operate this way a few years ago. Organizations like PlainsCapital live in more of a fishbowl today than they once did. Organizations must re-calibrate how they make and maintain their public images.
[Note: Since I originally posted this article, Hillary Machinery and its affiliates have contacted me and asked that I correct a couple of factual errors. Based on what they said and what I read elsewhere on the web, I have revised my article here. If anyone believes that I have made a mistake here or any other place, I ask that person to telephone me promptly at 1.214.403.6642.]
While PlainsCapital made the preemptive legal strike, Hillary has preemptively struck in the PR war. And as you noted, they may have done so decisively. By the time any court decisions are reached there will be so much bad publicity showing up online the bank will need years to undo the damage. And even then it will only be possible if the bank did have other security measures available and they were turned down by Hillary.
Posted by: Bert | February 17, 2010 at 10:51 AM
PlainsCapital Bank received $84 million in TARP funds. They are using federal tax dollars to sue their own customer. Alan B. White is quoted as calling TARP funds "Investment Capital". Just one more reason why Hillary Machinery has people in DC at this very moment meeting with congressional staff.
Posted by: Amanda | February 19, 2010 at 03:12 PM
Amanda: Thank you for posting your comment. I am blogging a lot about the PlainsCapital v Hillary lawsuit/dispute because it is a pivotal case in the history of computer security law. As between the parties engaged in the dispute, I am neutral and independent. My decision to allow your comment to be published on my blog does not necessarily indicate that I agree or disagree with what you said.
Although I am reporting and evaluating the impact of the statements by parties in this conflict, I am not encouraging or discouraging them. I am not evaluating whether statements are right or wrong, correct or incorrect.
If any person thinks I am doing anything wrong, I ask that person promptly to telephone me at 1.214.403.6642.
--Benjamin Wright
Posted by: Benjamin Wright | February 19, 2010 at 03:37 PM
Another legal issue I haven't seen discussed: Usually if a suit like this is settled out of court, there is some agreement among parties that they will not discuss the case further, and the publicity stops. But the many posts about this case will live on the internet and archives forever.
Most of the posts I've seen aren't from people who had ever heard of Hillary before. But tech people who have dealt with security breaches and can easily imagine themselves or their clients in the same position. Add that natural sympathy to the fun involved in doing some amateur sleuthing about the case, and Hillary doesn't even need to seed blogs with comments.
Posted by: AlphaCentauri | February 20, 2010 at 06:24 PM
Not all comments about this controversy on the web are unfavorable to the bank. Stephen Northcutt of the SANS Institute generally observes that, in theory, a bank in a cyber theft incident must be wary that the customer colluded with thieves to stage the heist.
Posted by: Benjamin Wright | February 21, 2010 at 09:36 AM
That there could be collusion with the bad guys. It goes both ways. It's possible in cases like this for someone at the bank to be in cahoots, too. Although hopefully that is a much less likely scenario.
We can't really know what happened, since PlainsCapital isn't talking. With the information Hillary is putting out it looks very bad for PlainsCapital. I still say that, unless PlainsCapital can bring out something totally unexpected they're going to lose - but the fact I have to put that caveat in says it's all still up in the air, however done it may look from out here.
Posted by: Bert | February 22, 2010 at 07:49 PM
Jim Woodhill of http://www.authentify.com sent me an e-mail because he tried to submit a comment, but the system would not take it. So I post Jim's words here:
"[I]f you think this is a PR disaster for PlainsCapital Bank *now*, just wait. It can get a *lot* worse.
"Are you going to be at the 2010 RSA Security Conference this coming week? If so, if you want to hear how, just meet me at Authentify's booth (#732), and I will be happy to share my speculations on how PlainsCapital's situation can get 'qualitatively' worse, not just 'quantitatively'.
"[Benjamin], this is not just an interesting PR skirmish, it's a matter of national concern. Local and regional banks like PlainsCapital are not just an important part of the American economy, they are an important part of American society. It is not in the public interest for every small- and medium-sized enterprise in our country to decide as one that they have to move their accounts to J.P. Morgan/Chase Bank or risk losing everything to cyber-thieves. But that is the message PlainsCapital Bank and every other bank that Brian Krebs writes about on this issue is sending."
Also, in reference to the observation by Stephen Northcutt (two comments above), Jim says,
"He is completely correct, but seems unaware of how Congress has decided similar questions when forced to speak on such issues by private-sector irresponsibility. As a 'Club For Growth' Republican, I hate the idea of more congressional micro-managing of America's financial services sector, but I cannot see how it can be avoided with so many cases in so many congressional districts."
Posted by: Benjamin Wright | February 23, 2010 at 08:22 AM
Benjamin,
I would offer that Mr. Northcutt is at least close to the line regarding his Editor's note with regard to this case. To restrict his comments to one loose hypothetical and accusatory angle footnoting our case is as ill-advised as it was for PCB to file a pre-emptive lawsuit publically calling our 25 year record of fiscal and moral soundness into question before the world; you see what that has cost them so far.
Notwithstanding, and in respect to Bert for his comments, "commercially reasonable" security and some semblance of fraud detection would have stop even a colluded criminal act had it contained such blatently unusual circumstances. Anyone caring to peruse the details already made public can see that.
Posted by: Troy owen | February 27, 2010 at 03:36 PM
Quite simply, I think prudent and reasonable people would agree that a bank's security measures are NOT "reasonable" if they allow a customer's account to be accessed then looted by Eastern European cyber criminals of hundred's of thousands of dollars over the course of 2 days and in a manner so inconsistent with the account holder's normal transactional history. Rather than spend so much time and energy defending a DEFEATABLE SECURITY SYSTEM, trying to DISCREDIT and more recently trying to DEFAME a victim of it (namely Hillary Machinery Inc), PCB and their counsel should do just a little research on the plethora of well documented cases of cyber crime events involving Eastern European cyber criminals and focus on protecting the customers they still have
Posted by: Troy owen | March 27, 2010 at 11:49 AM