Illinois Ct: Bank May be Liable for Failing to Secure Online Account
In what appears to be a significant and somewhat groundbreaking decision, a federal court in Illinois ruled that a couple whose online access to their credit line was compromised could hold the bank liable for failing to adequately safeguard the account. (Shames-Yeakel v. Citizens Financial Bank / Case No. 07-C 5387) (first blogged by the Digital Media Lawyer Blog here and picked by Wired's threat level here). Wired links to the ruling here: [pdf].
Background: the facts are *somewhat* straightforward. The plaintiffs were customers of Citizens Financial Bank. In 2007, someone gained unauthorized access to plaintiffs' credit line, obtained an advance of $26,500, transferred the amount to the plaintiffs' account, then to a bank in Hawaii, and finally to an Austrian bank. By the time the dust settled, and plaintiffs reported the situation to the bank, the miscreants were long gone, and the Austrian bank refused to refund the money. Citizens (plaintiffs' bank) was unable to retrieve plaintiffs' funds and told plaintiffs it intended to hold plaintiffs liable. Citizens sent plaintiffs statements when monthly payments became due, and when plaintiffs disputed and failed to pay, Citizens sent the matter to collections. Plaintiffs brought suit (I think) seeking to hold the bank liable for the loss, and alleging violations of other rules, including the Fair Credit Reporting Act, Truth in Lending Act, and the Electronic Funds Transfer Act.
What happened? the bank moved for summary judgment. The court denied the bank's motion, holding that the bank could be liable in negligence for failing to adequately secure the plaintiffs' account. As the Digital Media Lawyer blog notes:
****
The take aways?
Out of Pocket Loss: I guess the first one is that data breach claims may succeed where there is actual out of pocket loss. This is pretty consistent with what the courts rejecting data breach class actions say, but to date, the claims (from a consumer standpoint) have not been presented in the context of actual money stolen.
What Security Standards Should Have Been Used: The court's discussion of what standards the bank should have used is interesting. Citizens just used a standard user name + password means of identifying the users, and the court was receptive (at least at the summary judgment stage) that the bank should have used more (e.g., an identifying question in addition to name and password, computer identification, tokens, etc.).
How Was the Account Compromised: The court didn't discuss this much, but I was definitely curious as to how the plaintiffs' password was compromised. Maybe they were careless with it, or gave it to someone? Maybe they used open wifi? There wasn't any actual evidence that the hacking occurred on the bank side.
What About the Terms of Use: The bank pointed to exculpatory language in the terms of use, but this did not undermine plaintiffs' claims. The court didn't go into detail on this point, but one way of looking at it is that contract language doesn't always limit claims based on negligence. There's always some wiggle room as to whether a claim sounds in negligence, and some resulting uncertainty as to whether contract language sufficiently insulates against these claims. Some duties cannot be disclaimed by contract.
State vs. Federal Law: The court's decision here is based on state law. To the extent this represents any sort of a trend, companies operating across state lines will lobby for some sort of federal legislation governing this, at least as to particular industries, such as financial institutions?
Should Other Types of Online Providers Be Worried: The court's decision is based on recognition that "fiduciary institutions have a common law duty to protect their members' or customers' confidential information." What types of institutions does this cover, in the internet era? How about Facebook, for example? Does it have a common law duty to protect its members' confidential information? Probably not, but I'm guessing this is something that will come up in the future for them.
Background: the facts are *somewhat* straightforward. The plaintiffs were customers of Citizens Financial Bank. In 2007, someone gained unauthorized access to plaintiffs' credit line, obtained an advance of $26,500, transferred the amount to the plaintiffs' account, then to a bank in Hawaii, and finally to an Austrian bank. By the time the dust settled, and plaintiffs reported the situation to the bank, the miscreants were long gone, and the Austrian bank refused to refund the money. Citizens (plaintiffs' bank) was unable to retrieve plaintiffs' funds and told plaintiffs it intended to hold plaintiffs liable. Citizens sent plaintiffs statements when monthly payments became due, and when plaintiffs disputed and failed to pay, Citizens sent the matter to collections. Plaintiffs brought suit (I think) seeking to hold the bank liable for the loss, and alleging violations of other rules, including the Fair Credit Reporting Act, Truth in Lending Act, and the Electronic Funds Transfer Act.
What happened? the bank moved for summary judgment. The court denied the bank's motion, holding that the bank could be liable in negligence for failing to adequately secure the plaintiffs' account. As the Digital Media Lawyer blog notes:
The aspect of the case that may have the largest precedential impact was its decision on the plaintiffs' negligence cause of action. A major basis for the negligence claim was the theory that financial institutions have a common law duty to protect their members' or customers' confidential information against identity theft. While the court did not find controlling state law precedent on point...it noted that Indiana courts have held that a bank has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest. The court then stated: "[i]f this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts.There were several other claims, some of which survived and some of which didn't, and many factual disputes (was the account used primarily for personal or business purposes) , but the key portion of the ruling is on plaintiffs' negligence claims.
****
The take aways?
Out of Pocket Loss: I guess the first one is that data breach claims may succeed where there is actual out of pocket loss. This is pretty consistent with what the courts rejecting data breach class actions say, but to date, the claims (from a consumer standpoint) have not been presented in the context of actual money stolen.
What Security Standards Should Have Been Used: The court's discussion of what standards the bank should have used is interesting. Citizens just used a standard user name + password means of identifying the users, and the court was receptive (at least at the summary judgment stage) that the bank should have used more (e.g., an identifying question in addition to name and password, computer identification, tokens, etc.).
How Was the Account Compromised: The court didn't discuss this much, but I was definitely curious as to how the plaintiffs' password was compromised. Maybe they were careless with it, or gave it to someone? Maybe they used open wifi? There wasn't any actual evidence that the hacking occurred on the bank side.
What About the Terms of Use: The bank pointed to exculpatory language in the terms of use, but this did not undermine plaintiffs' claims. The court didn't go into detail on this point, but one way of looking at it is that contract language doesn't always limit claims based on negligence. There's always some wiggle room as to whether a claim sounds in negligence, and some resulting uncertainty as to whether contract language sufficiently insulates against these claims. Some duties cannot be disclaimed by contract.
State vs. Federal Law: The court's decision here is based on state law. To the extent this represents any sort of a trend, companies operating across state lines will lobby for some sort of federal legislation governing this, at least as to particular industries, such as financial institutions?
Should Other Types of Online Providers Be Worried: The court's decision is based on recognition that "fiduciary institutions have a common law duty to protect their members' or customers' confidential information." What types of institutions does this cover, in the internet era? How about Facebook, for example? Does it have a common law duty to protect its members' confidential information? Probably not, but I'm guessing this is something that will come up in the future for them.
Comments