WASHINGTON – While the recent fraud stemming from withdrawals from Municipal CU's ATMs attracted national headlines, the ATM sector itself may be ripe for major liability lawsuits and could face one sooner rather than later. That's the view of an attorney with years of experience working with ATM providers and financial institutions. ATM liability began to crop up as an issue as the sector became more aware of the possibility of skimming. Skimming is the theft of ATM card numbers and personal identification numbers from ATMs or their surrounding environments. The Electronic Funds Transfer Association (EFTA) has formed an ATM Integrity Task Force to both study the threat and recommend courses of action against it. The issue has layers of responsibility and obligation so tangled and overlapping that it may take a major lawsuit or series of lawsuits to begin to unravel them, according to Henry Polmer, a partner with the law firm of Piper Rudnick, a Washington D.C. firm. Polmer has served as general counsel to the banks that founded, and then sold, the Cirrus ATM Network to MasterCard International and as counsel to the EFTA, though that is not a role he fills currently. "What it may take is a major case, [to bring ATM liability to the fore]" Polmer said. " Not just a case where a number of financial institutions lose a small amount of money, but one where one institution takes a major loss." The problem is that the question of liability in regard to ATMs is uncharted territory in and of itself and so many of the techniques for stealing ATM data are more sophisticated than the policies meant to stop them. Polmer used the example of a "membrane" that could be placed over the keyboard of an ATM and, somehow, either thorough wiring or a radio signal, transmit data to a site remote from the ATM. "The membrane might not be obvious to the ATM user," Polmer said, "and using it would result in sending the users' PIN right to the thieves." Each of the different parts of the ATM sector is vulnerable to different liability concerns, according to Polmer and published reports. ATM manufacturers face liability risk because, in part, there is no universal standard for ATM machines, Polmer said. ATM machines are all a little different and this difference contributes to consumers' gullibility when facing machines with which thieves might have tampered, Polmer said. "I am regularly amazed at how few consumers will question whether an ATM machine `looks right' before they use them" he added, admitting that the lack of time most consumers want to spend at the machines contributes to the lack of attention. When looking at liability, ATM manufacturers have to be concerned that the concept of "industry standard" for the machines is evolving, Polmer said. "You can be held liable if you have warranted a machine as conforming to an industry standard and it does not do so, and there are areas where the industry standard is not clear." As an example Polmer raised the question of when ATM users' PIN information should be encrypted. The industry standard is that data transmitted from ATMs across networks is meant to be encrypted, he pointed out, but it is not as clear whether that encryption should happen right at the keypad or somewhere else in the machine and where the liability would be if that data was stolen before it could be encrypted. None of the ATM manufacturers would comment about the liability question. While Polmer said the potential liability of ATM manufacturers might seem a bit remote, there is more concern about the potential liability of networks which might allow unscrupulous parties to add machines to a network that they could use to steal card and PIN numbers. The only significant ATM skimming case on record so far involved a Russian organized crime member who placed a machine that he used to steal card and PIN numbers. The scam managed to net $3.5 million in a few weeks. Because of that case Polmer said he believed networks would begin to look more closely at who approaches them to add their machines to their network. "There used to be assumptions about the little guy who wants to put in an ATM or a few ATMs," Polmer said, "but I think that's all changed in a post-9/11, post fraud, world." No one from CO-OP Network, the nation's largest credit union ATM Network, was available to comment on the issue of network liability. Although the industry is organizing itself to fight ATM skimming, there are indications that a similar approach may not work when it comes to sorting out any liability questions. According to published reports, the issue of ATM liability is so controversial that the EFTA precluded the ATM Integrity Task Force from even taking up the issue. Kurt Helwig, executive director of the EFTA said that he didn't consider the Task Force the vehicle to discuss liability, preferring to leave it to the individual firm's attorneys. [email protected]