In a ruling issued last month, Judge Rebecca Pallmeyer, of the District Court for the Northern District of Illinois, denied a request by Citizens Financial Bank to dismiss a negligence claim brought against it by Marsha and Michael Shames-Yeakel. The Crown Point, Ind. couple -- customers of the bank -- alleged that Citizens' failure to implement up-to-date user authentication measures resulted in the theft of more than $26,000 from their home equity line of credit.
The negligence claim was one of several claims brought against Citizens by the couple. Although, Pallmeyer dismissed several of the other claims, she allowed the negligence claim against Citizens to stand. She noted that the couple had shown that a "reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access."
The ruling highlights an issue that security analysts have been talking about for a long time: the need by companies to show due diligence in protecting customer data against malicious and accidental compromise. Security analysts have warned that companies that can't prove they took adequate measures to protect data could find themselves exposed to legal liability after a data breach.
Numerous lawsuits alleging such negligence have been filed against companies over the last two years. Most of those cases, however, involved payment card data breaches in which large numbers of accounts were compromised and in which victims want compensation. Courts typically sided with the breached entities in such lawsuits, and in many cases summarily dismissed the claims.
The decision in the Shames-Yeakel case was first reported on Digital Media Lawyer Blog, which is written by David Johnson, a lawyer specializing in digital media law with Jeffer, Mangels, Butler and Marmaro LLP in Los Angeles. The case shows how the failure to expeditiously implement state-of-the-art security measures can open companies to negligence claims, Johnson wrote.
The ruling shows that a "failure to implement the latest and greatest in data protection measures may be found to be a breach of expected standards of care," he warned.
The dispute stems from a February 2007 incident in which an intruder gained access to the Shames-Yeakel's equity credit line account using their username and password. The intruder then proceeded to take an advance of $26,500 from the account and transfer it to a bank in Austria. The fraudulent transaction wasn't discovered by the couple until 10 days later, by which time it was too late to recover the money.
Citizens held the couple responsible for paying back the money, and claimed that under its online terms and conditions it had no liability for any unauthorized transactions that were made using legitimate usernames and passwords. It said there was no liability unless it had been notified in advance about the possibility of unauthorized use and had been given a reasonable opportunity to act on that notice.
Citizens also had claimed that its online banking services were being provided and protected by a highly reputable company. In addition to the third-party security services, Citizens said it had its own measures for protecting access to user account.
But the Shames-Yeakels claimed those measures were inadequate. They said that at the time of the breach, Citizens was still relying on usernames and passwords to control access to accounts while others had begun using two-factor authentication, including token-based authentication, that is considered more secure. They pointed to a 2005 document by the Federal Financial Institutions Examination Council (FFIEC), which called single-factor authentication inadequate and recommended the use of two-factor authentication by banks.
In her ruling, Pallmeyer noted that Citizens had begun implementing stronger authentication measures in 2007 but supported only single-factor authentication at the time of the theft. The apparent delay in complying with the FFIEC's recommendations could indicate that the bank had breached its duty to protect account holder information, she wrote.
Although the judge has cleared the case for trial, no court date has been set, and Citizens' officials declined to comment on the pending litigation.