Tuesday, January 09, 2007

Should society demand that investors be made whole if someone hacks into and steals from their on-line accounts?

Who should bear the loss when money is stolen from an on-line account, such as in this case, where this guy's account was hacked into while he was out of the country? When money is stolen, should the brokerage firm be forced to restore the investor's funds? Or should the investor suffer the loss?

In cases where the security breach was one of the firm's doing, sure, common sense dictates that the firm make whole on the loss that, but for its negligence, would not have taken place. And investors have every right to expect recovery if the brokerage firm has, as part of its client agreement, promised to make good on any losses.

But what about situations in which the firm is not negligible? How about situations where either the customer was negligent, for example, in not safeguarding access codes, or in the event where the customer was the victim of identity theft? And what about situations, such as the one I linked to, where there was no evidence as to the circumstances by which the hacker was able to obtain the user ID and password?

The money is gone... the question is whose pocket ought the money come out of? Should investors suffer, except in cases where they're able to prove negligence on the part of the brokerage firm? Or should the firm - and, by extension, the other customers of the firm - be forced to cough up the money?

It's easy to look to the deep pockets, especially in cases where the investor has suffered huge losses (in either absolute dollars or as a percentage of their net worth).... but does that make it right?

Our legal system usually allows someone to recover damages only if and when they are able to prove that a particular person was responsible for their injury. It's not enough for someone to prove that they were not at fault for their injury, they have to identify the individual who was responsible. And in cases where someone is injured and unable to identify the person at fault, except to the extent that they have insurance that will reimburse them for their loss, they have to absorb the loss.

Forcing brokerage firms to make whole on their client's losses changes this dynamic and in a way that isn't right. Nobody enjoys reading of people losing their funds to on-line fraud... but that doesn't make it right to make someone (in this case, the brokerage firm) pay for what they were not responsible for.

If society wants to avoid the spectacle of having to read and watch the stories of investors who have lost their money, then society might look to require investors to purchase insurance policies protecting them from fraud. But society ought not take the easy - and wrong - way of looking to the deep pockets.