Keeping up with the constant changes in security measures necessary to handle the latest threats to data can make a business feel like it is running out of breath. When a business already has a quality data security system in place, implementing the latest security protocol may feel like a distraction and a waste of money. However, state and federal
The case is Shames-Yeakel v. Citizens Financial Bank, U.S.D.C., Northern District of Illinois, Case No. 07-c-5387. The plaintiffs operated a bookkeeping and accounting
In 2007, an unknown person gained access to the plaintiffs’ online accounts by using Ms. Shames-Yeakel’s username and password. This person ordered a $26,500 advance on the home equity line of credit, which was eventually transferred to a bank in Austria. When the theft was discovered and the funds traced, the Austrian bank refused to return the money.
Citizens Bank notified the plaintiffs that it intended to hold them liable for the loss. The online banking agreement between Citizens and the plaintiffs stated “We will have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice.” Citizens then began to bill the plaintiffs for the $26,500. When they failed to pay the balance on time, Citizens reported the account as delinquent to national credit bureaus. Citizens also threatened to foreclose on their home, if the plaintiffs continued to refuse to make payments.
The plaintiffs complained to the Office of Thrift Supervision (“OTC”). However, the OTC informed them that they had no objection to Citizens holding them liable. In support of its conclusion, the OTC noted that Regulation E, which implements the Electronic Funds Transfer Act, only protects demand deposit and consumer asset accounts, not credit accounts like a home equity line of credit. It also noted that Regulation Z, which implements the Truth in Lending Act, only covers lines of credit when the credit is used for personal purposes. Here, because the plaintiffs had linked the line of credit to a business checking account, the OTC concluded that it was a business line of credit.
Ultimately, the plaintiffs sued Citizens, claiming that the bank’s actions violated the Truth in Lending Act (15 U.S.C. § 1601, et seq.), the Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.), the Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.) and constituted common law negligence. The evidence regarding these claims was considered by the Court in its August 21, 2009 ruling on
The aspect of the case that may have the largest
Citizens argued that it had taken appropriate steps to secure its customers’ online accounts. To provide its online services, Citizens used Fiserv, a vendor with an undisputed reputation for providing high-quality information security services. Citizens also required all online banking customers to use passwords of their own creations and restricted its online banking system solely to bank employees who had a need to access the system.
The plaintiffs argued that these procedures were not state of the art at the time of the theft. Citizens protected access with the use of a user name and password — or “single factor identification.” However, it could have used “
The plaintiffs claimed that while Citizens had begun to make some of these changes in 2007, it should have adopted them years earlier. They pointed to a 2005 documents authored by the Federal Financial Institutions Examination Council (FFIEC) with found that single factor authentication was inadequate and discussed tokens as an alternative. See
Noting these facts, the Court concluded: “In light of
The Court’s conclusion in this case is not surprising. It is very difficult for a defendant to meet the summary judgment motion standards on the element of
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
Fn1 The Court agreed with the OTC that the Electronic Funds Transfer Act did not cover the plaintiffs’ claim because a credit, not a deposit account was involved in the illegal funds transfer. However, it rejected the OTC’s facile conclusion that a Truth in Lending Act claim was barred because the line of credit had been linked to the plaintiffs’ business checking account.