Bank's gettin theres, HOORA
Shames-Yeakel v. Citizens Financial Bank: Failure to Expeditiously Implement State-of the Art Security Measures Can Create Liability for Negligence in Data Breach Cases
Keeping up with the constant changes in security measures necessary to handle the latest threats to data can make a business feel like it is running out of breath. When a business already has a quality data security system in place, implementing the latest security protocol may feel like a distraction and a waste of money. However, state and federal legislatures and regulators, as well as courts around the country, are increasingly unwilling to let businesses slack off from the cyber-security arms race. As seen in a recent Indiana District Court decision, failure to implement the latest and greatest in data protection measures may be found to be a breach of expected standards of care and expose a business to liability for data breaches.
The plaintiffs complained to the Office of Thrift Supervision ("OTC"). However, the OTC informed them that they had no objection to Citizens holding them liable. In support of its conclusion, the OTC noted that Regulation E, which implements the Electronic Funds Transfer Act, only protects demand deposit and consumer asset accounts, not credit accounts like a home equity line of credit. It also noted that Regulation Z, which implements the Truth in Lending Act, only covers lines of credit when the credit is used for personal purposes. Here, because the plaintiffs had linked the line of credit to a business checking account, the OTC concluded that it was a business line of credit.
Ultimately, the plaintiffs sued Citizens, claiming that the bank's actions violated the Truth in Lending Act (15 U.S.C. § 1601, et seq.), the Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.), the Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.) and constituted common law negligence. The evidence regarding these claims was considered by the Court in its August 21, 2009 ruling on Citizen's motion for summary judgment.
The aspect of the case that may have the largest precedential impact was its decision on the plaintiffs' negligence cause of action. (Fn1) A major basis for their negligence claim was the theory that financial institutions have a common law duty to protect their members' or customers' confidential information against identity theft. While the Court could not find controlling State precedent on point (Indiana law applied), it noted that Indiana courts have held that a bank has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest. The Court then stated, "If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."
Banks gettin it,
THEIR TURN IN THE BARREL.
doin my happy dance...G
If you had Id theft show
this to your attorney, sue