In addition to a story on the Zappos' hack, the New York Times also has an editorial "Convenient, but How Secure?" on the growth of online banking and new regulations being implemented that should lessen fraud loss risk.
The editorial says "regulators have decided that current security systems based on passwords, tokens and cookies aren’t strong enough. Starting this month, they want financial institutions to add a new layer that detects unusual patterns of activity — like a volley of transfers to an account in Russia — in real time." Good idea.
The editorial goes on to state:
"Regulations limit losses for individual victims of a cyberstrike to $500, forcing the bank to cover the balance. But businesses are not covered, and small companies are especially vulnerable because they move more cash around than individuals and cannot afford high-technology defenses."
Generally, the Electronic Fund Transfer Act (EFTA) and its Regulation E limit consumer fraud liability to $50 from either online transfer or debit/ATM card losses if fraud is reported within 2 days or up to $500, as described, if reported within 60 days.
But small businesses are not protected at all, even though for all intents and purposes, they are treated as if they were consumers (not so well) by the banks.
One way to get the banks to protect our money better would be to limit consumer liability even further, extend that liability limit to small businesses and perhaps even to small governments and schools.
If banks had more skin in the game, they'd be more likely to protect our skin.
Note that consumer credit cards are much better protected than electronic transfers or debit/ATM cards, but by a different law, the Truth In Lending Act (TILA and Regulation Z). Most banks extend similar protection for debit cards, but in some circumstances only, and only by promise not by law. Small businesses are not protected from fraud by either EFTA or TILA.