By Lee Dong-wook
Though it did not catch the attention of many people, something very interesting is happening in the world of Korean Internet transactions. In April 2006 when the Electronic Financial Transaction Act (EFTA) was promulgated, it was at the center of controversy as banks were burdened with the precautions against the wrongdoings of hackers.
Since the contents of the EFTA are focused mostly on who will be held liable (Article 9) if there are any problems while engaged in electronic financial transactions, legislators of the EFTA worked with the presumption that there will be hacker attacks and concentrated mostly on how to protect consumers.
Although supporters of the EFTA argue that financial Internet service providers are in a better position than general participants of the electronic financial transaction, it remains questionable and leaves much room to be rectified at least in the eyes of U.S.-trained lawyers like me. In the traditional jurisprudence of law and equity, is it fair and just to hold the financial Internet service providers (FISPs, mostly banks) strictly liable even without faults to be indirectly liable for any attacks from hackers?
Now since there is a move to amend the EFTA, though it is still not certain yet as to whether the banks will become less burdened after the amendment, I believe it is the right timing to revisit the EFTA almost three years after its debut.
The key issue about the EFTA is that the FISPs, mostly banks, in Korea under the act are ``strictly liable'' by ``vicarious rule'' in Internet transactions. Of course there are some exceptions in the law for a few minor cases when the banks will be off the hook by proving the contributory negligence by its clients, for example when there is malice or gross negligence by the clients. The whole controversy can be boiled down to two questions:
1. Is it fair and right to hold the FISPs strictly liable for all the wrongdoings of electronic financial transactions?
2. Will the strict vicarious liability for the FISPs by the EFTA detect and prevent all the wrongdoings of electronic financial transactions?
In order to answer these two questions, we need to start our discussion with a comparison of negligence rule and strict liability rule. According to the ``Black's Law Dictionary'' (7th edition), negligence arises when there is a failure to exercise the standard of care that a reasonably prudent person would have used in a similar situation while strict liability does not depend on actual negligence or intent to harm, but that is based on absolute duty to make something safe.
Strict liability is that someone shall be absolutely liable by law even if he is not at fault at all. Traditionally, strict liability was applied to the keeper of inherently vicious animals for any wrongdoings of the animal. For example when a pitbull bites a toddler, its keeper is to be held liable no matter what, even if the toddler stepped on the tail of the animal. Strict liability was also applied to ultra-hazardous activity, for example dynamiting, since such activity involves the risk of serious harm to persons or property, and it cannot be performed without risk regardless of precautions taken and does not ordinarily occur in the community.
Only very recently the realm of strict liability was expanded to manufacturers, wholesalers, retailers and commercial dealers of the product in the name of strict product liability. Strict product liability arises when the buyer proves that the goods are unreasonably dangerous, the seller is in the business of selling goods, the goods are defective when they are in the seller's hands, the defect causes the plaintiff's injury and the product was expected to reach the consumer without substantial changes of condition.
Generally strict product liability is not applied to service providers regardless of whether or not such service is sold over the Internet. In addition, there are no big differences of precautions that can be taken by banks under the jurisdictions of strict liability and negligence.
Vicarious liability is a concept in which someone else can be held indirectly liable for the wrongdoings of another, mostly in an agency relationship. For example, parents can be held liable for the wrongdoings of their juvenile children. Such vicarious liability has evolved into agency theory.
Agency is a concept that a principal can be held liable and his obligations are subject to the contract that an agent signed with a third party. In order to form such an agency relationship, the agent is subject to the control of the principal; the agent shall have the authority to bind the principal contractually with 3rd parties; the agent is working for the benefit of principal; there shall be the agreement of the agent to act on behalf of the principal in addition to the fiduciary relationship between the principal and the agent. In modern days, such an agency relationship exists between employer and employee, unlike the master-servant relationship of the older days.
With this legal knowledge in mind, now let us look at what is happening in the world of Internet transactions. A recent Pentagon study showed that about 95 percent of all attacks by hackers are successful and only 5 percent are detected. The Pentagon estimates that 65 percent of its 30,000 computers can be, and are, hacked 1,000 times per day. Hackers changed a Department of Justice Web site to display a swastika and the text to read ``The Department of Injustice.''
A Japanese bank's account database was entered and data stolen. Many other cases of corporate data being hacked have also been reported.
Korea is no safe haven from hacker attacks: Woori Bank, Citibank and Hana Bank have experienced money theft at the hands of hackers.
Faced with hacker attacks, it is very difficult for banks to predict in what kind of form and what time such breaches will take place. No matter how well armed, it is very difficult for banks to take fully protective measures against the practice. It is difficult to trace original locations, detect purposes and latent periods, estimate damage, etc.
For the banks, it is also very difficult to insure themselves against hacker attacks. The culprits usually don't have deep pockets with which to pay for the damage they caused to the banks. Their purpose of hacking is not always pecuniary.
Under these circumstances, it is futile to hold the wrongdoers (hackers) in the Internet world responsible for their behavior since they are insolvent in most cases and they constitute identification, prosecution and traceback problems.
In addition to the characteristics of hackers and their behavior, we need to think over whether or not banks can be held liable like parents under vicarious liability or indirect liability. Some economists have long argued that banks are in a better position to control the situation and they should work in the best interest of their principals, i.e. their customers. They also argued that for the purpose of better efficiency, it would be reasonable for banks to be strictly liable. Although it may sound very plausible to hold the banks liable for and have them stay alert against the wrongdoings of hackers, especially among the people not working for banks, this argument is too far-fetched and very misleading.
Why? First of all, banks are not in an agent's position in Internet transactions with their customers and in coping with hackers.
Secondly, banks are not that better off when compared with their own clients in the world of Internet transactions when attacked by hackers. Simply speaking banks are, together with their clients, the victims of hacker attacks.
Professor Douglas Lichtman said correctly in his article ``Would Indirect Liability Reduce Costly Cyberspace Externalities?'' that when a party is in a good position to detect or deter another's bad conduct, indirect liability may be attractive [as in the parent-child relationship]. He also said that when it encourages a party to internalize some significant negative externality associated with bad activities, indirect liability is also attractive.
Earlier, I mentioned that about 95 percent of hacker attacks are successful and even Pentagon computers are being attacked. Most banks do not have the technical savvy of the Pentagon. Under the draconian regime of the EFTA, however, banks have to take up an unreasonable amount of care and duty under the name of strict liability even for the wrongdoers, i.e. hackers. In that sense, the EFTA is a bad attempt to stop problems ― akin to taxing banks out of existence.
Protecting Internet users is a noble goal. But at least in the eyes of this author, placing liability on banks by the EFTA has a fundamental flaw: It places efficiency ahead of justice. The EFTA, in its legislative procedure, sacrificed fair justice in the name of efficiency. But efficiency alone does not qualify to substitute for justice. In addition, we need to challenge the efficiency argument since it does not seem to be efficient at all for the banks.
The Internet, whether financial or not, is a medium and the supply of access to it is peculiarly unsuited to indirect liability as the EFTA proposes. Therefore, it would be too inordinate to request banks to be strictly liable under vicarious rule for any Internet transactions. It would be better if we change the standard of liability from strict liability to negligence rule for the banks as a full reflection of the real world.
Author of ``Electronic Financial Transaction Act'' (Korean), Lee Dong-wook is a member of New York State Bar Association. He invites feedback at 88lawyer@gmail.com