« Lawsuit Advantage | Main | EFT Law | 4A-202 | 4A-203 »

February 16, 2010


Feed You can follow this conversation by subscribing to the comment feed for this post.


While PlainsCapital made the preemptive legal strike, Hillary has preemptively struck in the PR war. And as you noted, they may have done so decisively. By the time any court decisions are reached there will be so much bad publicity showing up online the bank will need years to undo the damage. And even then it will only be possible if the bank did have other security measures available and they were turned down by Hillary.


PlainsCapital Bank received $84 million in TARP funds. They are using federal tax dollars to sue their own customer. Alan B. White is quoted as calling TARP funds "Investment Capital". Just one more reason why Hillary Machinery has people in DC at this very moment meeting with congressional staff.

Benjamin Wright

Amanda: Thank you for posting your comment. I am blogging a lot about the PlainsCapital v Hillary lawsuit/dispute because it is a pivotal case in the history of computer security law. As between the parties engaged in the dispute, I am neutral and independent. My decision to allow your comment to be published on my blog does not necessarily indicate that I agree or disagree with what you said.

Although I am reporting and evaluating the impact of the statements by parties in this conflict, I am not encouraging or discouraging them. I am not evaluating whether statements are right or wrong, correct or incorrect.

If any person thinks I am doing anything wrong, I ask that person promptly to telephone me at 1.214.403.6642.
--Benjamin Wright


Another legal issue I haven't seen discussed: Usually if a suit like this is settled out of court, there is some agreement among parties that they will not discuss the case further, and the publicity stops. But the many posts about this case will live on the internet and archives forever.

Most of the posts I've seen aren't from people who had ever heard of Hillary before. But tech people who have dealt with security breaches and can easily imagine themselves or their clients in the same position. Add that natural sympathy to the fun involved in doing some amateur sleuthing about the case, and Hillary doesn't even need to seed blogs with comments.

Benjamin Wright

Not all comments about this controversy on the web are unfavorable to the bank. Stephen Northcutt of the SANS Institute generally observes that, in theory, a bank in a cyber theft incident must be wary that the customer colluded with thieves to stage the heist.


That there could be collusion with the bad guys. It goes both ways. It's possible in cases like this for someone at the bank to be in cahoots, too. Although hopefully that is a much less likely scenario.

We can't really know what happened, since PlainsCapital isn't talking. With the information Hillary is putting out it looks very bad for PlainsCapital. I still say that, unless PlainsCapital can bring out something totally unexpected they're going to lose - but the fact I have to put that caveat in says it's all still up in the air, however done it may look from out here.

Benjamin Wright

Jim Woodhill of http://www.authentify.com sent me an e-mail because he tried to submit a comment, but the system would not take it. So I post Jim's words here:

"[I]f you think this is a PR disaster for PlainsCapital Bank *now*, just wait. It can get a *lot* worse.

"Are you going to be at the 2010 RSA Security Conference this coming week? If so, if you want to hear how, just meet me at Authentify's booth (#732), and I will be happy to share my speculations on how PlainsCapital's situation can get 'qualitatively' worse, not just 'quantitatively'.

"[Benjamin], this is not just an interesting PR skirmish, it's a matter of national concern. Local and regional banks like PlainsCapital are not just an important part of the American economy, they are an important part of American society. It is not in the public interest for every small- and medium-sized enterprise in our country to decide as one that they have to move their accounts to J.P. Morgan/Chase Bank or risk losing everything to cyber-thieves. But that is the message PlainsCapital Bank and every other bank that Brian Krebs writes about on this issue is sending."

Also, in reference to the observation by Stephen Northcutt (two comments above), Jim says,

"He is completely correct, but seems unaware of how Congress has decided similar questions when forced to speak on such issues by private-sector irresponsibility. As a 'Club For Growth' Republican, I hate the idea of more congressional micro-managing of America's financial services sector, but I cannot see how it can be avoided with so many cases in so many congressional districts."

Troy owen


I would offer that Mr. Northcutt is at least close to the line regarding his Editor's note with regard to this case. To restrict his comments to one loose hypothetical and accusatory angle footnoting our case is as ill-advised as it was for PCB to file a pre-emptive lawsuit publically calling our 25 year record of fiscal and moral soundness into question before the world; you see what that has cost them so far.

Notwithstanding, and in respect to Bert for his comments, "commercially reasonable" security and some semblance of fraud detection would have stop even a colluded criminal act had it contained such blatently unusual circumstances. Anyone caring to peruse the details already made public can see that.

Troy owen

Quite simply, I think prudent and reasonable people would agree that a bank's security measures are NOT "reasonable" if they allow a customer's account to be accessed then looted by Eastern European cyber criminals of hundred's of thousands of dollars over the course of 2 days and in a manner so inconsistent with the account holder's normal transactional history. Rather than spend so much time and energy defending a DEFEATABLE SECURITY SYSTEM, trying to DISCREDIT and more recently trying to DEFAME a victim of it (namely Hillary Machinery Inc), PCB and their counsel should do just a little research on the plethora of well documented cases of cyber crime events involving Eastern European cyber criminals and focus on protecting the customers they still have

The comments to this entry are closed.

Wright's Online SANS Education

Jackson County Case Study

IT Administrators


  • Follow benjaminwright on Twitter

Custom Professional Training

Local ARMA Quote

  • "The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.
My Photo


  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training


  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

Search Wright's Blogs

Find More on This Blog


Become a Fan

Find More on This Blog