Judge: Comerica must pay company hit in phishing attack

David Ashenfelter reports on a ruling in a case with potentially huge implications, EMI v. Comerica (past coverage): Comerica bank must reimburse a Sterling Heights sheet metal company $561,000 it lost in an Internet phishing attack, a federal judge has ruled in what may be the first such case nationally to be tried to a verdict. U.S. District Judge Patrick Duggan said the bank should have detected and stopped the fraudulent activity against Experi-Metal shortly after it began in January 2009. The company’s lawyer, Richard Tomlinson of Troy, said he was elated by Monday’s ruling. Read more on Detroit Free Press.

ACH Fraud on Trial: EMI v. Comerica

Tracy Kitten writes: Michigan-based Experi-Metal Inc. and Comerica Bank headed to court this month. Their case is the first major corporate account takeover incident to actually go to trial. The two parties now appear before the U.S. District Court of Michigan to debate how much responsibility EMI should assume for the takeover of its bank account with Comerica. What won’t be debated, however, is how banks should define “reasonable” security, says IT security attorney David Navetta — a definition left open to interpretation by the Uniform Commercial Code. Read more on BankInfoSecurity.

EMI v. Comerica: Court Finds Commercially Reasonable Security — Bank Loses Motion for Summary Judgment

David Navetta provides a legal analysis of the court’s denial of the bank’s motion for summary judgment in the case. An odd result — we know. We previously reported on the lawsuit filed by Experi-Metal, Inc. (“EMI”) and the subsequent motion for summary judgment (and briefs) filed by Comerica Bank to have the case dismissed. As reported in July, the U.S. District Court for the Eastern District of Michigan has issued a ruling on Comerica’s motion for summary judgment. To make a long story short, the Court denied Comerica’s motion and this case appears headed toward trial (or potentially appeal or settlement). Ironically, in the course of its ruling the Court found that Comerica had utilized commercially reasonable security procedures. However, that ruling had more to do with the language in Comerica’s contracts than an actual substantive analysis of Comerica’s security procedures. In this blogpost, we take a closer look at the Court’s ruling. Read more on Info Law Group.

Recommended: The Curious Case of EMI v. Comerica

David Navetta writes: Security breaches in the online banking world continue to yield interesting lawsuits (you can read about three others in this post). The latest online banking lawsuit filed by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”) provides some new wrinkles that could further illuminate the boundaries of “reasonable security” under the law. Brian Krebs has a good article summarizing the case. In addition, bankinfosecurity.com has a recent article on this matter (in which yours truly was quoted). In this post we take a look at the EMI Lawsuit, consider some legal questions that the case raises, and analyze how it might impact the question of what constitutes “reasonable security” under the law. Read his commentary and legal analysis on InformationLawGroup.

Forbes Breach Email Statistics

Total of 1,056,986 E-mail’s Found are unique. Total of 111,735 E-mail Providers 564  FORBES.COM 844 .GOV 14,572 .EDU Below is a list of all email providers that have 2 or more in the breach. (full list here) Article: https://datalossdb.org gmail.com: [407769] yahoo.com: [181617] hotmail.com: [86667] aol.com: [25032] justafou.com: [20092] asertol1.co.tv: [17472] comcast.net: [11368] live.com: [9842] xamog.com: [7922] msn.com: [7454] ceoll.com: [6940] ymail.com: [6338] sbcglobal.net: [6302] me.com: [5130] yahoo.co.uk: [4199] verizon.net: [4158] att.net: [4009] mac.com: [3439] outlook.com: [3199] rocketmail.com: [2992] cox.net: [2942] mail.ru: [2590] bellsouth.net: [2512] hotmail.co.uk: [2435] yahoo.co.in: [2376] earthlink.net: [2173] googlemail.com: [1766] yahoo.ca: [1649] mail.com: [1564] rediffmail.com: [1525] yahoo.fr: [1458] charter.net: [1272] optonline.net: [1191] yahoo.in: [1132] sharklasers.com: [984] aim.com: [915] 163.com: [904] yahoo.com.br: [868] rogers.com: [863] shaw.ca: [863] hotmail.fr: [826] juno.com: [762] qq.com: [735] btinternet.com: [729] live.co.uk: [699] icloud.com: [651] yahoo.com.au: [604] yandex.ru: [603] forbes.com: [518] GMAIL.COM: [510] roadrunner.com: [491] mindspring.com: [485] live.ca: [454] gmx.com: [450] yahoo.co.id: [441] sympatico.ca: [436] mailinator.com: [436] yahoo.com.sg: [429] bigpond.com: [426] abv.bg: [424] yahoo.es: [414] yahoo.com.ph: [412] pacbell.net: [407] 126.com: [403] hotmail.it: [395] embarqmail.com: [389] netscape.net: [387] frontier.com: [364] windstream.net: [345] excite.com: [337] telus.net: [330] ovi.com: [326] q.com: [321] YAHOO.COM: [318] yahoo.de: [309] tampabay.rr.com: [305] yahoo.it: [303] web.de: [302] oracle.com: [287] hotmail.ca: [286] netzero.net: [282] Gmail.com: [282] gmx.de: [282] yahoo.com.mx: [282] yahoo.com.tw: [279] live.fr: [271] cfl.rr.com: [264] yahoo.gr: [262] prodigy.net: [259] sap.com: [255] libero.it: [253] uol.com.br: [251] rambler.ru: [244] naver.com: [240] swbell.net: [235] mchsi.com: [233] yahoo.com.vn: [227] windowslive.com: [226] netzero.com: [225] ameritech.net: [223] email.com: [216] lycos.com: [211] suddenlink.net: [208] insightbb.com: [208] usa.net: [208] umich.edu: [208] nc.rr.com: [203] cornell.edu: [202] live.com.au: [199] cisco.com: [195] wp.pl: [193] AOL.COM: [191] videotron.ca: [189] us.ibm.com: [188] wi.rr.com: [187] hushmail.com: [187] asfedass.uni.me: [187] cableone.net: [186] frontiernet.net: [183] hp.com: [183] hotmail.es: [182] nyc.rr.com: [182] Yahoo.com: [181] yahoo.co.jp: [180] centurytel.net: [179] redarrow.uni.me: [177] inbox.com: [174] austin.rr.com: [174] optusnet.com.au: [173] centurylink.net: [172] tds.net: [169] ge.com: [168] rcn.com: [165] ukr.net: [164] o2.pl: [162] seznam.cz: [160] microsoft.com: [159] live.in: [158] cs.com: [156] yahoo.cn: [156] yahoo.com.hk: [153] gmx.net: [152] ig.com.br: [152] usa.com: [151] sina.com: [150] bk.ru: [150] xtra.co.nz: [150] Hotmail.com: [147] dell.com: [145] inbox.lv: [144] fuse.net: [144] rochester.rr.com: [144] sky.com: [142] nyu.edu: [142] yahoo.com.ar: [140] yahoo.com.cn: [138] carolina.rr.com: [137] live.nl: [136] HOTMAIL.COM: [136] us.army.mil: [135] wowway.com: [134] ntlworld.com: [133] fastmail.fm: [133] inbox.ru: [132] yeah.net: [131] withum.com: [131] google.com: [131] ix.netcom.com: [129] list.ru: [129] ieee.org: [127] hotmail.de: [126] umn.edu: [125] alum.mit.edu: [124] ptd.net: [121] nycap.rr.com: [121] webmail.co.za: [121] terra.com.br: [121] columbia.edu: [120] pobox.com: [119] adp.com: [119] free.fr: [117] post.harvard.edu: [116] kc.rr.com: [115] tx.rr.com: [115] triad.rr.com: [114] bluewin.ch: [114] columbus.rr.com: [111] accenture.com: [110] bell.net: [110] live.com.mx: [109] iinet.net.au: [108] snet.net: [108] in.com: [108] rmqkr.net: [107] gyro.com: [106] principal.com: [106] optimum.net: [105] satx.rr.com: [105] hughes.net: [104] orange.fr: [104] eircom.net: [103] bol.com.br: [103] bigpond.net.au: [102] cinci.rr.com: [102] live.cn: [101] t-online.de: [100] ca.rr.com: [99] telkomsa.net: [99] wellsfargo.com: [99] yahoo.ie: [98] sify.com: [98] mweb.co.za: [98] stanford.edu: [98] kp.org: [96] san.rr.com: [96] asu.edu: [94] xerox.com: [94] cogeco.ca: [94] usc.edu: [94] intel.com: [91] y7mail.com: [90] hanmail.net: [90] yahoo.co.nz: [90] blueyonder.co.uk: [89] yopmail.com: [88] peoplepc.com: [88] wildblue.net: [87] yandex.com: [87] telenet.be: [87] morgan.edu: [86] hawaii.rr.com: [86] sc.rr.com: [85] bresnan.net: [85] mypacks.net: [85] rediff.com: [84] twcny.rr.com: [84] myway.com: [84] yahoo.com.my: [84] woh.rr.com: [84] msu.edu: [83] live.it: [83] zoominternet.net: [83] prodigy.net.mx: [82] infosys.com: [82] sapo.pt: [81] ufl.edu: [81] socal.rr.com: [80] virginia.edu: [80] btopenworld.com: [79] psu.edu: [78] adelphia.net: [78] wanadoo.fr: [77] vodamail.co.za: [77] neo.rr.com: [77] att.com: [76] facebook.com: [76] zoho.com: [75] osu.edu: [75] kingcross.pl: [74] gmx.at: [74] skynet.be: [74] tiscali.it: [73] indiana.edu: [73] emc.com: [73] deloitte.com: [72] fordham.edu: [71] knology.net: [70] maine.rr.com: [70] freemail.hu: [69] walla.com: [69] linkedin.com: [68] pfizer.com: [68] sonic.net: [68] thesba.com: [68] mail.usf.edu: [68] salesforce.com: [67] thomsonreuters.com: [67] bu.edu: [66] stny.rr.com: [66] ucla.edu: [66] live.co.za: [65] vt.edu: [65] ubs.com: [65] ucdavis.edu: [64] colorado.edu: [64] insidesales.com: [62] talktalk.net: [62] acm.org: [61] alice.it: [61] ya.ru: [60] nate.com: [59] tpg.com.au: [59] citi.com: [59] its.jnj.com: [59] edelman.com: [59] ey.com: [59] babson.edu: [58] myfairpoint.net: [58] sina.cn: [58] opayq.com: [58] stanfordalumni.org: [58] email.sc.edu: [57] temple.edu: [56] tcs.com: [56] mit.edu: [55] tiscali.co.uk: [55] new.rr.com: [55] LIVE.COM: [54] aol.in: [54] otenet.gr: [54] clear.net: [54] syr.edu: [54] wipro.com: [53] uw.edu: [53] mail.bg: [53] interia.pl: [53] singnet.com.sg: [53] dslextreme.com: [52] marketstar.com: [52] fiu.edu: [52] georgetown.edu: [52] siu.edu: [51] bankofamerica.com: [51] netapp.com: [51] surewest.net: [51] aol.co.uk: [51] kw.com: [51] hotmail.co.nz: [51] indiatimes.com: [51] reagan.com: [50] sasktel.net: [50] hvc.rr.com: [50] gci.net: [50] chartermi.net: [50] u.northwestern.edu: [50] live.de: [49] duke.edu: [49] ncsu.edu: [49] eastlink.ca: [48] internode.on.net: [48] sohu.com: [48] purdue.edu: [48] pureseo.co.nz: [48] berkeley.edu: [48] wisc.edu: [48] buffalo.edu: [48] webershandwick.com: [48] utk.edu: [48] yale.edu: [48] consultant.com: [47] pzu-doradca.kobierzyce: [47] jhu.edu: [47] uga.edu: [47] globo.com: [47] planet.nl: [47] merck.com: [47] rtrtr.com: [47] rock.com: [45] uiowa.edu: [45] centrum.cz: [45] flash.net: [45] btconnect.com: [45] wharton.upenn.edu: [45] gsk.com: [45] foxmail.com: [45] statefarm.com: [45] live.com.my: [45] boeing.com: [45] ohio.edu: [45] ogilvy.com: [45] laposte.net: [45] lpl.com: [44] xs4all.nl: [44] target.com: [44] lmco.com: [44] navy.mil: [44] operamail.com: [44] lwcresearch.com: [44] us.pwc.com: [43] live.dk: [43] sas.com: [43] nokiamail.com: [43] illinois.edu: [43] consolidated.net: [43] yahoo.se: [43] online.no: [43] virginmedia.com: [43] dygestoria.mielno.pl: [42] india.com: [42] utexas.edu: [42] atlanticbb.net: [42] ec.rr.com: [42] hush.com: [41] okstate.edu: [41] uchicago.edu: [41] kent.edu: [41] szpik.rawa-maz.pl: [41] udel.edu: [41] rbc.com: [41] erols.com: [41] aya.yale.edu: [41] drexel.edu: [41] netvigator.com: [40] yahoo.dk: [40] forrester.com: [40] hotmail.co.jp: [40] live.com.pt: [40] tin.it: [40] ualberta.ca: [40] telia.com: [39] live.se: [39] reklama.rawa-maz.pl: [39] octanner.com: [39] wegiel-plock.wielun: [39] gmx.us: [39] utoronto.ca: [39] sprint.com: [39] bex.net: [39] northwesternmutual.com: [39] tcd.ie: [39] kotly.pruszkow.pl: [39] GMail.com: [39] crimson.ua.edu: [39] epix.net: [39] kadry.kartuzy.pl: [38] disney.com: [38] clearwire.net: [38] vanderbilt.edu: [38] fedex.com: [38] knights.ucf.edu: [38] ucsd.edu: [38] u.washington.edu: [38] i.ua: [38] tom.com: [38] program-motywacyjny.mazowsze: [38] kadry.swiebodzin.pl: [38] tlen.pl: [38] philips.com: [38] 21cn.com: [38] pepsico.com: [38] bigmir.net: [38] gwu.edu: [38] kolumny.malopolska.pl: [37] fishbowlinventory.com: [37] bc.edu: [37] hawaii.edu: [37] czesci-fadroma.lowicz: [37] sofy.augustow.pl: [37] kosmetyka.sanok.pl: [37] COMCAST.NET: [37] domy-z-bali.kutno: [37] gartner.com: [36] gmx.ch: [36] iafrica.com: [36] attglobal.net: [36] hotmail.gr: [36] live.ie: [36] wal-mart.com: [36] luc.edu: [36] azet.sk: [36] bigfoot.com: [36] email.arizona.edu: [36] db.com: [36] virgilio.it: [36] email.phoenix.edu: [36] osk-wloclawek.podhale: [36] sungard.com: [36] sprynet.com: [36] mopy.wegrow.pl: [35] mycie-para.sanok: [35] umd.edu: [35] nm.com: [35] puchary.jelenia-gora.pl: [35] myself.com: [35] capgemini.com: [35] wavecable.com: [35] wczasy-egipt.tgory: [35] virgin.net: [34] freenet.de: [34] dayrep.com: [34] mail.missouri.edu: [34] […]

How Fast Is Fast Enough to Tell Customers About Data Breaches?

Sue Reisinger writes on Corporate Counsel: In financial data breaches, timing is almost everything. On June 13 a federal court held Comerica Bank liable for data breach losses even though it notified the customer and stopped all account activity within six hours. Two days later Citigroup Inc. was explaining why it took nearly a month to start notifying 360,000 customers of a breach. While Comerica didn’t act fast enough for the court, experts say Citi’s delay may have been justified. Confusing? Such disparities can baffle not only companies and consumers, but also lawmakers trying to create a uniform standard for handling breaches. Read more on Corporate Counsel.

ACH Case: Headed to Trial?

Linda McClasson writes: A series of motions in the Experi-Metal vs. Comerica Bank case indicate that this high-profile ACH fraud conflict could be headed for a jury trial. Both sides have filed recent motions, with EMI requesting a jury trial and Comerica asking for a non-jury trial. The case is set to be heard after mid-November, with Nov. 16 being set as the final pre-trial conference date. Legal experts differ over whether this case will actually proceed to trial, or if a settlement will be reached first, as happened with thePlainsCapital Bank vs. Hillary Machinery ACH fraud dispute. Read more on BankInfoSecurity.com.  Additional previous coverage on the case can be found here.

Customer Vs. Bank: Who is Liable for Fraud Losses?

Linda McGlasson writes: At first this court case was a curiosity: Experi-Metal Inc. (EMI), a Michigan-based metal supply company, sued Comerica Bank, claiming that the bank exposed its customers to phishing attacks. But now this story shapes up as a significant test case for the banking industry, raising several key questions that must be answered about fraud and responsibility. “It will establish who is liable in the U.S. – the bank or the customer – for fraud losses that result from phishing,” says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy & Research. Read more on BankInfoSecurity.com

Customer Sues Bank After Phishing Attack

Linda McClasson reports: A Michigan-based metal supply company is suing Comerica Bank, claiming that the bank exposed its customers to phishing attacks. A lawsuit filed by Experi-Metal Inc. (EMI) in Sterling Heights, MI alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank’s security software. EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures. EMI contends that Comerica’s actions opened its online bank account to a successful phishing attack where more than $550,000 was stolen from the company’s bank accounts and sent overseas. News of this suit comes days after news of another Dallas-based bank, PlainsCapital Bank, suing one of its customers in a dispute over a similar hack. EMI is but one of many companies across the U.S. being targeted by hackers in this fashion. Read more on BankInfoSecurity.