Sea Shift in Bank End User Agreements - Shifting Security Liabilities.

As most of you are aware, the updated Digital Privacy Act (DPA & PIPEDA) states that the Commissioner will have the right to disclose a breach if this information is in the public interest.

PIPEDA’s confidentiality provisions continue to apply, but the scope of what can be disclosed in the public interest has been broadened. The Commissioner may now make public any information that comes to his knowledge in the performance or exercise of his duties or powers under the Act if he deems that doing so is in the public interest. Previously, this discretion applied only to information “relating to the personal information management practices of an organization.”

I'd suggest that the banks likely lobbied the Canadian government heavily to get that precise wording. The reason why is because the knowledge of data breaches on banks is not in the public interest, hence they'd need not be disclosed. I fully agree with that for the record. This knowledge is not in the public's interest. It would certainly help serve the hacker community if every breach was disclosed everytime all the time.

If banks were forced to disclose they'd been hacked, they'd need to know first they've been hacked and many of them are not aware (quickly) that they've been compromised until an end user tells them about missing funds. I know what you are thinking, "why can't security software detect when someone or something has been breached?" Welcome to my world, sunshine. If any of us had that perfect solution, we'd all be flying our private jets to Hawaii. It is technologically impossible. I defy anyone to challenge that last statement.

Snowden: "It is not possible to build a device that is secure to the outside world and the user at the sametime".

Further to my point. When banks do become aware they've been hacked, which is often, they can do very little to prevent that or even stop it from happening again. The main reason for this is due to the fact that banks are heavily reliant on the internet and e-commerce for the public's benefit. That makes banks very vulnerable to hackers by the nature of the technology they must use in order for them to deliver end user services.

What alarming is was the recent updated end user agreement with the bank I use. It states that if I use an unlocked cell phone with the bank's App and it gets compromised, then I might be held liable for the loss. In another case, an Ontario man who was charged more than $80,000 on his credit card for purchases he claims he hadn't made raised new questions about the security of online and credit card transactions and whether banks are shifting liability for fraud to their customers. I'd argue that clearly they are shifting liability to the end user and this has been carefully thought out and planned. Whether or not the federal government prevents this sea shift I'd think depends upon court cases. Thus far the banks are winning those court cases, see below.

Analysis of mobile applications of 50 of the world's top 100 banks has found all to be vulnerable to several security threats - SC Magazine.

In the case of the unlocked cell phones, what that bank is really saying is that the App they use has been breached. What likely happened is that malware got onto the phone from a nefarious company that provides unlocked cell phone service. The cell phone itself is no more or no less secure if locked or unlocked. What I recommend to individuals is to either extend your security software to your cell phone (often an option with security software) or download malware protection to your cell phone from the App store. Or do not use banking apps at all.

I do not blame the banks for this sea shift in liability as many end users are neither educated nor even care about digital security. That in itself places a huge burden on the banking system and they argue that the risk should be shared. The argument of course is that it is your choice to download the app and your choice and decision not to be aware of the risks associated with using those services. I do think that if that is the banking sectors stance they must then be part of the solution, i.e. training and awareness etc. The banks also must stop being compliance check box buyers as that is hardly security.

In conclusion, end users need be aware of the risks and banks will need to help educate end users on security. The alternative to all of this is stone age banking or as some like to call it the good old days of paper banking. It worked and, yes, was more secure but certainly not efficient.

Written by

David Morrish

You can contact me at

[email protected]