Secret Service investigators later discovered someone had slipped a Trojan ๏ฟฝ a small bit of malicious code ๏ฟฝ past the firewall and anti-virus software Lopez assumed kept his computer protected. The Trojan, called Coreflood, had captured and transmitted Lopez's user name and password to a data thief, who probably sold it to Arnold or his associates.

Bank of America disavowed responsibility, prompting Lopez to sue the bank in federal court in Miami to get his money back. "We fully investigated his claims and determined that all of our internal protocols and security measures were in place," says Shirley Norton, a Bank of America spokeswoman.

In its defense, the bank has invoked an obscure section of the Uniform Commercial Code, state laws governing commercial contracts, which banks helped draft. It limits liability in delivering online services to businesses if certain safeguards are in place.

Norton says the bank considers Lopez a business customer doing commercial transactions, not a consumer doing household banking. Consumers are protected by federal laws that limit their fraud losses in most cases to $50. They must report discrepancies promptly and generally be able to show wrongdoing.

"It's a bank's way of saying, 'It's the customers' fault,' " says Gail Hillebrand, a senior attorney at Consumers Union.

Legal experts say BofA's stance makes sense. It is refusing to expose itself to liability arising from the countless malicious programs that infest PCs used by small companies, over which the bank has no control. Such exposure could force financial institutions to curtail online services being pitched to small firms, a promising growth area.