Keeping up with the constant changes in security measures necessary to handle the latest threats to data can make a business feel like it is running out of breath. When a business already has a quality data security system in place, implementing the latest security protocol may feel like a distraction and a waste of money. However, state and federal legislatures and regulators, as well as courts around the country, are increasingly unwilling to let businesses slack off from the cyber-security arms race. As seen in a recent Indiana District Court decision, failure to implement the latest and greatest in data protection measures may be found to be a breach of expected standards of care and expose a business to liability for data breaches.
The case is Shames-Yeakel v. Citizens Financial Bank, U.S.D.C., Northern District of Illinois, Case No. 07-c-5387. The plaintiffs operated a bookkeeping and accounting service from their home, presciently named “Best Practices.” The plaintiffs had personal checking accounts with the defendant, Citizens Financial Bank, as well as a business account under the Best Practices name. The plaintiffs also obtained a home equity line of credit from Citizens, which they drew on to make a down payment on a loft in Chicago, pay off their auto loans, make roof repairs to their residence and purchase a car for their daughter. The plaintiffs linked the line of credit to their Best Practices business checking and made payments on the line through that account.
In 2007, an unknown person gained access to the plaintiffs’ online accounts by using Ms. Shames-Yeakel’s username and password. This person ordered a $26,500 advance on the home equity line of credit, which was eventually transferred to a bank in Austria. When the theft was discovered and the funds traced, the Austrian bank refused to return the money.
Citizens Bank notified the plaintiffs that it intended to hold them liable for the loss. The online banking agreement between Citizens and the plaintiffs stated “We will have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice.” Citizens then began to bill the plaintiffs for the $26,500. When they failed to pay the balance on time, Citizens reported the account as delinquent to national credit bureaus. Citizens also threatened to foreclose on their home, if the plaintiffs continued to refuse to make payments.
The plaintiffs complained to the Office of Thrift Supervision (“OTC”). However, the OTC informed them that they had no objection to Citizens holding them liable. In support of its conclusion, the OTC noted that Regulation E, which implements the Electronic Funds Transfer Act, only protects demand deposit and consumer asset accounts, not credit accounts like a home equity line of credit. It also noted that Regulation Z, which implements the Truth in Lending Act, only covers lines of credit when the credit is used for personal purposes. Here, because the plaintiffs had linked the line of credit to a business checking account, the OTC concluded that it was a business line of credit.
Ultimately, the plaintiffs sued Citizens, claiming that the bank’s actions violated the Truth in Lending Act (15 U.S.C. § 1601, et seq.), the Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.), the Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.) and constituted common law negligence. The evidence regarding these claims was considered by the Court in its August 21, 2009 ruling on Citizen’s motion for summary judgment.
The aspect of the case that may have the largest precedential impact was its decision on the plaintiffs’ negligence cause of action. (Fn1) A major basis for their negligence claim was the theory that financial institutions have a common law duty to protect their members’ or customers’ confidential information against identity theft. While the Court could not find controlling State precedent on point (Indiana law applied), it noted that Indiana courts have held that a bank has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest. The Court then stated, “If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts.”
Citizens argued that it had taken appropriate steps to secure its customers’ online accounts. To provide its online services, Citizens used Fiserv, a vendor with an undisputed reputation for providing high-quality information security services. Citizens also required all online banking customers to use passwords of their own creations and restricted its online banking system solely to bank employees who had a need to access the system.
The plaintiffs argued that these procedures were not state of the art at the time of the theft. Citizens protected access with the use of a user name and password — or “single factor identification.” However, it could have used “multifactor identification”, in which factors beyond these two are used to verify the identity of users trying to log onto the system. The plaintiffs also argued that the bank should have used tokens — devices which are carried by the user and generate ever-changing security codes.
The plaintiffs claimed that while Citizens had begun to make some of these changes in 2007, it should have adopted them years earlier. They pointed to a 2005 documents authored by the Federal Financial Institutions Examination Council (FFIEC) with found that single factor authentication was inadequate and discussed tokens as an alternative. Seehttp://www.ffiec.goc/pdf/authentication_guidance.pdf.
Noting these facts, the Court concluded: “In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of facts could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.” Accordingly, the Court let the plaintiffs’ negligence claim go forward.
The Court’s conclusion in this case is not surprising. It is very difficult for a defendant to meet the summary judgment motion standards on the element of standard of care. However, the Court’s decision that a failure to expeditiously implement state-of-the art security procedures can constitute a breach of the standard of care is also an indication of how a jury might decide this case, as well. Cyber-security may be a rat race. Unfortunately, you may not be able to stop running.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
Fn1 The Court agreed with the OTC that the Electronic Funds Transfer Act did not cover the plaintiffs’ claim because a credit, not a deposit account was involved in the illegal funds transfer. However, it rejected the OTC’s facile conclusion that a Truth in Lending Act claim was barred because the line of credit had been linked to the plaintiffs’ business checking account. disagreed with the OTC. Rather, because the funds from the line of credit had been used for personal purposes, the Court found that the TILA could go forward. The Court also let the plaintiffs’ Fair Credit Reporting Act claim to go forward, because there was sufficient evidence that the Bank failed to note the disputed nature of the debt in their reports to the credit bureaus and that it had failed to properly investigate their complaints.