Court allows suit against bank for lax security
Citizens Financial Bank should have offered strong authentication, plaintiffs claim
September 2, 2009 04:47 PM ETComputerworld - A couple whose bank account was breached can sue their bank for its alleged failure to implement the latest security measures designed to prevent such compromises.
In a ruling issued last month, Judge Rebecca Pallmeyer, of the District Court for the Northern District of Illinois, denied a request by Citizens Financial Bank to dismiss a negligence claim brought against it by Marsha and Michael Shames-Yeakel. The Crown Point, Ind. couple -- customers of the bank -- alleged that Citizens' failure to implement up-to-date user authentication measures resulted in the theft of more than $26,000 from their home equity line of credit.
The negligence claim was one of several claims brought against Citizens by the couple. Although, Pallmeyer dismissed several of the other claims, she allowed the negligence claim against Citizens to stand. She noted that the couple had shown that a "reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access."
The ruling highlights an issue that security analysts have been talking about for a long time: the need by companies to show due diligence in protecting customer data against malicious and accidental compromise. Security analysts have warned that companies that can't prove they took adequate measures to protect data could find themselves exposed to legal liability after a data breach.
Numerous lawsuits alleging such negligence have been filed against companies over the last two years. Most of those cases, however, involved payment card data breaches in which large numbers of accounts were compromised and in which victims want compensation. Courts typically sided with the breached entities in such lawsuits, and in many cases summarily dismissed the claims.
The decision in the Shames-Yeakel case was first reported on Digital Media Lawyer Blog, which is written by David Johnson, a lawyer specializing in digital media law with Jeffer, Mangels, Butler and Marmaro LLP in Los Angeles. The case shows how the failure to expeditiously implement state-of-the-art security measures can open companies to negligence claims, Johnson wrote.
The ruling shows that a "failure to implement the latest and greatest in data protection measures may be found to be a breach of expected standards of care," he warned.
The dispute stems from a February 2007 incident in which an intruder gained access to the Shames-Yeakel's equity credit line account using their username and password. The intruder then proceeded to take an advance of $26,500 from the account and transfer it to a bank in Austria. The fraudulent transaction wasn't discovered by the couple until 10 days later, by which time it was too late to recover the money.
Citizens Financial bank. Shames-Yeakel
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
