Data breach lawsuit puts spotlight on bank's security measures

By Marcia Savage, Site Editor, SearchFinancialSecurity.com 08 Oct 2009 | SearchFinancialSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A federal judge's decision to permit a couple to sue their bank after a data security breach will allow a jury to decide whether the bank's online security was sufficient.

Marsha and Michael Shames-Yeakel of Indiana sued Citizens Financial Bank in 2007 after an attacker broke into their online account and stole $26,500 from a home equity credit line. The lawsuit, filed in the northern district of Illinois, alleges a number of violations, including that the bank's online security lagged behind industry standards. On Aug. 21, U.S. District Judge Rebecca Pallmeyer rejected the bank's request to dismiss the claim.

"A number of courts have recognized that fiduciary institutions have a common law duty to protect their members' or customers' confidential information against identity theft," she wrote.

David D. Johnson, a lawyer who specializes in digital media issues at California-based Jeffer Mangels Butler & Marmaro LLP, detailed the data breach case in his blog. In a phone interview, he noted the various laws and regulations requiring financial institutions to protect their customers' data.

"What makes this case important is the standard it says a bank had to apply in order to satisfy all those requirements," he said. "And what it [the court] essentially said is that a jury is entitled to find that a bank's security procedures must be state of the art."

The couple's lawsuit cites the FFIEC's 2005 guidance that financial institutions deploy multi-factor authentication for online banking. In her ruling, Pallmeyer noted that the bank said it began to implement additional security measures in early 2007 by issuing physical tokens, but admitted that only single-factor authentication protected the couple's account at the time of the theft in February 2007. The attacker used Marsha Shames-Yeakel's username and password to access the couple's online account and then ordered a $26,500 advance on the couple's home equity line of credit, which was eventually wired to a bank in Austria.

"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect plaintiff's account against fraudulent access," Pallmeyer wrote.

The judge's ruling clears the way for a jury trial to decide whether the bank's security measures were appropriate, Johnson said. A trial date hasn't been set, but the case shows how banks can't "opt out of the arms race," he said.

"The arms race between the hackers and security professionals has to stay state of the art or the business faces a risk of being held liable for data thefts," Johnson said.

Another lawsuit filed recently also argues that a bank's security was insufficient in the wake of a data security breach. As reported by The Washington Post, Patco Construction Co. of Maine is suing Ocean Bank, a division of People's United Bank, alleging that the bank didn't take enough steps to stop criminals from stealing Patco's online banking credentials and siphoning more than $500,000 from its account. Patco claims the bank failed to offer any form of token-based authentication, the paper reported.

In a blog post about the case on legal information website FindLaw.com, San Francisco lawyer Eric Sinrod noted that Patco also claims that Ocean bank should have detected the improper transfers as suspicious because they were larger than usual and sent to accounts that Patco had never transferred money to.

"The object lesson of this lawsuit is not necessarily what the ultimate outcome will be based on its unique facts," Sinrod wrote. "The real point is that causes of action do exist in the law that can make a third party, like a bank, potentially responsible for harm suffered by others at the hands of cyber criminals."

"Thus, not only should online companies protect themselves from online criminal conduct, they should consider and develop measures to protect their customers from such conduct, when it is foreseeable and when industry knowledge and standards demand such protection," he added.

Tags: FFIEC compliance guidelines,  Data breaches and prevention strategies,  Secure user and consumer authentication methods,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT FFIEC compliance guidelines Multifactor authentication options to secure online banking Five mistakes banks make in pandemic planning Get ready for remote deposit capture risk management scrutiny Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Defendants in banking fraud scheme accused of exploiting regulation FFIEC guidance on RDC: Guidance overview FFIEC guidance on RDC: Risk management basics FFIEC guidance on RDC: Top five RDC mistakes Download presentations from Financial Information Security Decisions 2009 Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption Programmer accused of stealing proprietary code from financial firm Secure user and consumer authentication methods Multifactor authentication options to secure online banking Survey: Consumers don't trust banks to keep their data secure Credit union launches online banking suite with strong authentication Winning the war: Personal information protection BITS releases guide for implementing email authentication protocols Banks, e-commerce sites use device identification to stop fraud Evolving authentication methods in the financial industry Identity management for financial firms in turbulent times Biometrics project studies ways to combat bank fraud Study of banking malware analyzes underground economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Bank Secrecy Act (BSA)  (SearchFinancialSecurity.com) FFIEC compliance  (SearchFinancialSecurity.com) Financial Crimes Enforcement Network (FinCEN)  (SearchFinancialSecurity.com) Podcast: What is FFIEC compliance?  (SearchFinancialSecurity.com) remote deposit capture (RDC)  (SearchFinancialSecurity.com) Suspicious Activity Report (SAR)  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary