Forensics Disagreement | Web PR Levels Court-of-Law Playing Field
The web changes how public disputes are contested. Inexpensive web 2.0 publicity disrupts the balance of power.
Internet Bank Robbery - The Facts
After computer thieves stole [Krebs] $200,000 from the bank account of Hillary Machinery Inc., the company demanded reimbursement from its bank, PlainsCapital Bank.
The bank refused. Thus began one of the most gripping cases in the history of computer security law . . . and a lesson in how to use the Internet as a populist podium . . .
Apparently the investigation of the heist has not determined conclusively how the hackers succeeded in tricking the bank to transmit money out of the account. Each party believes the forensic investigation proves it is blameless.
The Law On Internet Bank Robberies
The legal relationship between Hillary and the bank is largely governed by Uniform Commercial Code Article 4A and the banking agreements signed between the parties. In a case like this, an essential issue is whether the bank employed commercially reasonable security procedures when it acted upon what purported to be electronic payment instructions from Hillary. The bank maintains that its security was reasonable, and therefore it need not reimburse the money.
As this dispute escalated, Hillary might have sued, possibly in Texas state court or possibly in federal court.
But the bank seized the legal initiative. It sued Hillary in federal court! The bank may have calculated that a federal court would review this complex, technical case more thoughtfully than a state court. So it preempted from Hillary the option to sue in state court.
From the federal court, the bank seeks an affirmation that its security was reasonable. In essence, the bank said Hillary had called into question the integrity of the bank's operations, and the bank is entitled to clear its name by way of litigation.
The bank is forcing Hillary to spend money on lawyers, quite possibly hoping Hillary will decide this quarrel is too expensive, too much trouble and will settle and shut up. From the perspective of traditional litigation strategy, the bank is probably in a stronger position because it can afford to spend much more on lawyers and technical experts to fight the case.
Internet as Populist Bullhorn
This is an unusual lawsuit. But it has taken an even more remarkable twist. Instead of cowering, Hillary has gone on the publicity warpath. On its primitive web page, Hillary complains noisily about the bank and its security.
It started working with other interested and knowledgeable parties, and is shouting from the virtual rooftops, “Can you believe this? Hackers stole $200,000 from my bank account, and then my bank sued ME!” That's one newsy sound bite.
Hillary has attracted quite a few news stories (including in the Dallas Morning News and the Denver Post), much of it favorable to Hillary. The most sensational is a TV report on Fox Business, which is posted on the web. Hillary of course points to many of these reports from its web site.
What's more, Hillary affiliates appear to be posting pointed comments on web discussion threads. When a popular Dallas news blog wrote an unrelated story about PlainsCapital, someone apparently associated with Hillary posted a comment saying (paraphrase) “Thieves stole money from our PlainsCapital account, and then PlainsCapital hauled us into court!” linking to the Fox Business video. [Another example: see the second comment, from Amanda, below this post.]
Someone who appears to be the spouse of a Hillary co-owner vocally discusses the case in an online forum, complaining about the bank and pointing to the media reports.
This controversy between Hillary and the bank now dominates the Wikipedia page about the bank. Can this be good for the bank?
In the public comments to a key blog article on the lawsuit, one observer sympathetic to Hillary finds that the bank has published a job posting for a wire transfer risk specialist. The observer suggests, yeah, they need someone with those skills! The actions of this "observer" (Is he or she affiliated with Hillary? A volunteer? Who knows.) give the impression that the public is rallying to Hillary's aid.*
The bank hasn't said much to defend itself in public. The bank's tight-lipped approach (“our lawsuit speaks for itself”) hasn't played well. There is no way all this chatter on the web has been good for the bank's reputation. The damage to the bank's image could far exceed $200,000.
Hillary is a reasonable-size mom and pop business ($35 million in 2008 annual sales). PlainsCapital ($4.4 billion in assets) is much larger. The bank's old-style approach – let our lawyers do our talking – seems to have enabled populist underdog Hillary to land some blows on its opponent.
Although many details about this case are known to the public, many are not. We don't know, for instance, everything about the security or insecurity of Hillary's computers or whether the bank had offered Hillary some additional security procedures that Hillary declined to use. (An example of additional security might be sms text messages to cell phones of Hillary officials as each and every event transpires within the bank account.) The bank may have a stronger story here than it has revealed so far.
Cyber Publicity is Faster Than a Lawsuit
But as things are going now, the bank may not have a good chance to tell its side of this cybertheft story. Internet-driven public opinion may solidify long before the bank can explain.
Talking on the web (Hillary's approach) is fast and cheap. Talking through lawyers in the courtroom (the bank's approach) is slow and expensive.
Publicity is different today than it was a few years ago. In the past, an unflattering report might appear on TV or in a newspaper, and then it was gone and few would remember. But media reports today live persistently on the web. Months-or-years-old reports can show up when prospective customers google “PlainsCapital Bank.”
This squabble is not over. But as of February 16, 2010, little Hillary seems to have exploited the web as an asymmetrical weapon against a larger adversary.
Update: Resolution May 2010
Hillary and Plainscapital settled their their lawsuit, and agreed to keep the terms confidential. The settlement came two days after the court rejected motions by Plainscapital that the case go to arbitration; Plainscapital apparently wanted arbitration because it felt a public trial was less likely to deliver it a net benefit. It is hard for me to conclude that this lawsuit was good for Plainscapital. The bank started the lawsuit. The bank's apparent goal was to clear its name and reputation. The bank did not achieve its goal.
Mr. Wright teaches IT security law at the SANS Institute, where he stresses how critical public communications (policies, notices, banners, warnings, contracts, subpoenas, interviews, social media, press releases, declarations in court and much more) are to effective cyber defense, negotiations and investigations.
* Gadzooks. Notice how easily a grumpy member of the public was able to dig up a choice detail about PlainsCapital (its job posting for a risk specialist) and link to it from a well-trafficked location with an unfavorable comment. The world did not operate this way a few years ago. Organizations like PlainsCapital live in more of a fishbowl today than they once did. Organizations must re-calibrate how they make and maintain their public images.
[Note: Since I originally posted this article, Hillary Machinery and its affiliates have contacted me and asked that I correct a couple of factual errors. Based on what they said and what I read elsewhere on the web, I have revised my article here. If anyone believes that I have made a mistake here or any other place, I ask that person to telephone me promptly at 1.214.403.6642.]