A federal judge's decision to permit a couple to sue their bank after a data security breach will allow a jury to decide whether the bank's online security was sufficient.
Marsha and Michael Shames-Yeakel of Indiana sued Citizens Financial Bank in 2007 after an attacker broke into their online account and stole $26,500 from a home equity credit line. The lawsuit, filed in the northern district of Illinois, alleges a number of violations, including that the bank's online security lagged behind industry standards. On Aug. 21, U.S. District Judge Rebecca Pallmeyer rejected the bank's request to dismiss the claim.
"A number of courts have recognized that fiduciary institutions have a common law duty to protect their members' or customers' confidential information against identity theft," she wrote.
David D. Johnson, a lawyer who specializes in digital media issues at California-based Jeffer Mangels Butler & Marmaro LLP, detailed the data breach case in his blog. In a phone interview, he noted the various laws and regulations requiring financial institutions to protect their customers' data.
"What makes this case important is the standard it says a bank had to apply in order to satisfy all those requirements," he said. "And what it [the court] essentially said is that a jury is entitled to find that a bank's security procedures must be state of the art."
The couple's lawsuit cites the FFIEC's 2005 guidance that financial institutions deploy multi-factor authentication for online banking. In her ruling, Pallmeyer noted that the bank said it began to implement additional security measures in early 2007 by issuing physical tokens, but admitted that only single-factor authentication protected the couple's account at the time of the theft in February 2007. The attacker used Marsha Shames-Yeakel's username and password to access the couple's online account and then ordered a $26,500 advance on the couple's home equity line of credit, which was eventually wired to a bank in Austria.
"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect plaintiff's account against fraudulent access," Pallmeyer wrote.
The judge's ruling clears the way for a jury trial to decide whether the bank's security measures were appropriate, Johnson said. A trial date hasn't been set, but the case shows how banks can't "opt out of the arms race," he said.
"The arms race between the hackers and security professionals has to stay state of the art or the business faces a risk of being held liable for data thefts," Johnson said.
Another lawsuit filed recently also argues that a bank's security was insufficient in the wake of a data security breach. As reported by The Washington Post, Patco Construction Co. of Maine is suing Ocean Bank, a division of People's United Bank, alleging that the bank didn't take enough steps to stop criminals from stealing Patco's online banking credentials and siphoning more than $500,000 from its account. Patco claims the bank failed to offer any form of token-based authentication, the paper reported.
In a blog post about the case on legal information website FindLaw.com, San Francisco lawyer Eric Sinrod noted that Patco also claims that Ocean bank should have detected the improper transfers as suspicious because they were larger than usual and sent to accounts that Patco had never transferred money to.
"The object lesson of this lawsuit is not necessarily what the ultimate outcome will be based on its unique facts," Sinrod wrote. "The real point is that causes of action do exist in the law that can make a third party, like a bank, potentially responsible for harm suffered by others at the hands of cyber criminals."
"Thus, not only should online companies protect themselves from online criminal conduct, they should consider and develop measures to protect their customers from such conduct, when it is foreseeable and when industry knowledge and standards demand such protection," he added.