A new court filing by Wells Fargo gives a glimpse into how the legal fighting over bank hacks may play out—and raises a novel question.
Returning readers will be familiar with the "SWIFT hacks" of the past year or so. (But if this is news to you, you can learn all about the hacks from our short animation.) These cyber-heists raised the question of who pays for SWIFT hacks: a victim whose computers were hacked and used to send bogus transfer instructions, or a bank that wasn't hacked but acted on those instructions. Under the Uniform Commercial Code's sections on wire transfers, if the victim previously agreed that its bank could use a particular security procedure, and if the bank actually applied that procedure in good faith, then the bank is generally off the hook—tough luck for the victim. But if the victim can show that the security procedures are commercially unreasonable, then the loss goes back to the bank. And banks generally can't contract their way out of this.
Or can they? Wells Fargo's recent answer to a lawsuit arising from a SWIFT hacks goes further than simply denying liability to the victim (Banco del Austro). It also asserts a counterclaim. According to Wells Fargo, Banco del Austro failed to protect information about the security procedures, and that failing contributed to the hack. Second, Banco del Austro previously agreed to indemnify Wells Fargo for any losses that are Banco del Austro's fault. If Wells Fargo can prove that these premises are right, then the loss may go back to Banco del Austro.
This raises a novel legal question: Does an indemnification provision like this one run afoul of the UCC's provision that "rights and obligations arising under this section... may not be varied by agreement"? That will be a complicated question. We'll just have to see what Banco del Austro has to say about this when it submits its response on (or before) December 14.