« Ind. Decisions - One case granted transfer Sept. 3rd | Main | Ind. Decisions - "Federal court ruling would let city's adult shops run 24/7" [Updated] »
Friday, September 04, 2009
Courts - Relying on Indiana law, Illinois federal judge allows woman to sue bank for lax security after $26,000 stolen by hacker [Updated]
From a story by Kim Zetter of Wired:
An Illinois district court has allowed a couple to sue their bank on the novel grounds that it may have failed to sufficiently secure their account, after an unidentified hacker obtained a $26,500 loan on the account using the customers’ user name and password.This ILB entry from August 25th began:As initially reported by legal blogger, David Johnson, Marsha and Michael Shames-Yeakel sued Citizens Financial Bank in 2007 in the northern district of Illinois on several grounds, including a claim that the bank failed to provide state-of-the-art security measures to protect their account.
U.S. District Judge Rebecca Pallmeyer refused last week to grant a summary judgment in favor of Citizens Financial, stating in her ruling that “assuming that Citizens employed inadequate security measures, a reasonable finder of fact could conclude that the insufficient security caused Plaintiffs’ economic loss.” * * *
Citizens used a company named Fiserv to provide its online banking services, including information security services, and argued that Fiserv had a solid reputation in the banking industry and that its security measures were not the cause of the money transfer.
The bank also pointed to its online user agreement, which it said released it of liability. The agreement stated to customers that it would “have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice.”
Judge Pallmeyer, however, was not convinced. She found court precedents showing that financial institutions have a common law duty to protect their customers’ confidential information against identity theft. Specifically, Indiana courts — where the Shames-Yeakels live — have held that a bank “has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest.” The judge therefore concluded in part that, “If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts.”
With regard to Citizens’ slow rollout of tokens to customers, Judge Pallmeyer stated that, “In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.”
Be concerned. When the ILB posted this story July 27th from the Louisville Courier Journal about the theft of $415,000 of Bullitt County Kentucky's funds by Ukrainian hackers, it seemed an isolated incident.The WAPO story is a "must read."Not so, according to this story today in the Washington Post, reported by Brian Krebs, and headed "European Cyber-Gangs Target Small U.S. Firms, Group Says."
Re the 8/21/09 opinion in Shames-Yeakel v. Citizens Financial Bank (ND Ill., ED), it turns out that the bank has branch locations in NW Indiana and the Chicago area, and the plaintiffs reside in Crown Point. Plaintiffs "were customers of Citizens who fell victim to identity theft when an unknown person gained access to their online account and stole $26,500 from a home equity credit line. When Plaintiffs refused to pay Citizens for the loss, the bank reported their account as delinquent to the national credit bureaus and threatened to foreclose on Plaintiffs’ residence."
From p. 18 of the opinion:
Finally, Plaintiffs claim that Citizens acted negligently in a number of ways. The parties agree that Indiana law applies to this claim. In order to prove negligence in Indiana, a plaintiff must establish a duty owed by the defendant to conform its conduct to a standard of care arising from its relationship with the plaintiff; a breach of that duty; and an injury proximately caused by the breach of that duty. Benton v. City of Oakland City, 721 N.E.2d 224, 232 (Ind. 1999). Plaintiffs here argue that Citizens was negligent in violating the various statutory duties discussed above, and also in failing to sufficiently protect their accounts from fraudulent access in the first place. * * *The unique issue within Plaintiffs’ negligence claim is their argument that Citizens breached its duty to sufficiently secure its online banking system. A number of courts have recognized that fiduciary institutions have a common law duty to protect their members’ or customers’ confidential information against identity theft. See, e.g., Jones v. Commerce Bancorp, Inc., (S.D.N.Y. May 23, 2006); Bell v. Mich. Council 25 of Am. Federation of State, County, Municipal Employees, (Mich. Ct. App. Feb. 15, 2005) (per curiam). Although this court could not find an Indiana case addressing the matter,
Indiana courts have held that a bank “has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest.” Ind. Nat. Bank v. Chapman, 482 N.E.2d 474, 482 (Ind. Ct. App. 4th Dist. 1985) (citing Cont’l Optical Co. v. Reed, 119 Ind. App. 643, 86 N.E.2d 306 (1949)). If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts.
Posted by Marcia Oddi on September 4, 2009 03:21 PM
Posted to Courts in general | Ind Fed D.Ct. Decisions | Indiana Decisions