Legal Burden of Cybercrime Falls on Businesses, not Banks

4 minute read


There’s no turning back. We live in a digital world and for better or worse, businesses are married to the triumphs and pitfalls awarded by technology and the cybersphere.

Unfortunately, those pitfalls are getting deeper and more dangerous as data hackers sharpen their skills and prey on small businesses. While big-box retailers are taking the bulk of the headlines, small businesses are becoming significant targets of cybercrime. A Symantec report found 31 percent of targeted attacks were aimed at businesses with less than 250 employees.

But wait—for those of you who have ever been hit with an unsuspecting charge from your debit account – you ask, “Aren’t banks the real casualties of cyber-warfare?”

The Great Divide

It’s true there is a safety net known as “Regulation E” of the Electronic Fund Transfer Act (EFTA) which says that consumers hit with illegitimate electronic transactions are only liable for up to $50 given a swift report. The bank reimburses the rest.

However, what’s critical for small business owners to understand is that the law is looking out for consumers, and consumers alone. The “Regulation E” umbrella of protection does not apply to business accounts, because there’s a major disparity between the account identities. A small business’s account is classified as a commercial holding. A consumer account is not. It is only the latter that’s granted federal protection, everything else is governed by contract.

The Wake-Up Call

This means if a business owner discovers $50,000 unrightfully wired from his or her account, the bank has no legal obligation to refund that money, so long as the authentication matched. The business assumes the responsibility of security, leaving it to absorb the loss and possibly plummeting it into a fiscal catastrophe that could close the business.

And the stakes get even higher. As businesses continue to operate in a digital world, if not vigilant with security measures, they could be the ones liable under the law should a hacker gain access to customer data and pillage consumer accounts.

Since a cyber attack is no longer of a matter of if, but when, small business owners must proactively take the reigns to shield their livelihood before a hacker gets there first. There are a few ways to make that happen.

  • Employ enterprise risk management (ERM).While most often utilized by large companies, every business that operates through any sort of electronic means should implement ERM, because every business is at risk of an attack.


This usually begins with a vigorous and comprehensive risk assessment to locate your company’s vulnerabilities and then developing a framework of risk mitigation. Identify the feasible actions where your company can alleviate security risks, such as only allowing certain employees to have access to bank accounts, changing passwords frequently and upgrading firewall protections.

  • Delve into the fine print. Did you know there could be unique specifications for security measures in the contracts with your bank, vendors and credit card processors?

Having a full understanding of security provisions outlined in contracts is a key factor in mitigating the lack of regulatory protection from data loss or electronic fraud. Often, businesses are required by contract to operate under particular firewall, malware or encryption guidelines. Should you ignore these contract restraints and your vendors or banks become victims through your server, your business could find itself served with a lawsuit.

  • Exceed what’s “commercially reasonable.”A business’s security efforts must always be considered “commercially reasonable” within your bank account agreement, meaning you must do at least as good as what everyone else is doing to gain any legal protection when an unauthorized person accesses your data.

Substandard anti-virus protections or practices, such as un-licensed software or negligent installation, will not be recognized as “commercially reasonable.” As a business owner provisioning sensitive data, it is your job to protect it. In fact, it’s always a best practice to go above and beyond what would be considered a base-line reasonable security measure. Doing so will enhance your protection against cybercrime, as well as help protect you from legal problems in the event of a breach.

(Keep in mind that businesses should always make sure its banks are operating under commercially reasonable procedures as well. If their systems lack appropriate security measures, then the liability tables could be turned.)

  • Ally with your bank. Don’t wait until you’re a victim of cybercrime to discover all the options for protection you have at your disposal through your bank. Discuss ways to detect suspicious activity and ask if your bank has programs available to prevent unauthorized electronic transactions, such as call back procedures or sophisticated access codes. Each bank may have different options available, but to leverage their opportunities in your favor, you have may have to seek it out.

Regrettably, cybercrime has become another cost of doing business. The reality is that everyone pays in one way or another, if not by a direct breach then by outside fees to recuperate from other attacks. However, it’s far better for your business to invest in protection now than become crippled by its consequences later.

Mary Neil Price is a partner attorney with law firm Dickinson Wright’s Nashville office and focuses her practice on banking and finance law. Learn more at