Open menu


Print PDF
Subscribe to Publications


Bank Faces Negligence Claim Over Online Banking Security Practices

September 15, 2009

Are your organization's security practices lagging behind current industry standards?  In addition to increasing the risk of a security breach, delaying implementation of recommended security measures may also increase your company's liability risk.

In 2007, Citizens Financial Bank customers Marsha and Michael Shames-Yeakel's equity line of credit was hacked into, resulting in a loss of over $26,000.  The perpetrators used Ms. Shames-Yeakel's user ID and password to transfer the funds to the couple's business checking account, then wire transferred the money to banks in Hawaii and, later, Austria (not an unusual m.o. of hackers in these circumstances).  Citizens Financial investigated but, unable to recover the funds, pursued the Shames-Yeakels for collection.

The Shames-Yeakels (plaintiffs) filed a multi-count lawsuit in a U.S. District Court in Illinois against Citizens Financial. The suit alleged violations of various federal laws as well as negligence based on the bank's failure to sufficiently protect their accounts from fraudulent access. Citizens Financial brought a motion to dismiss all claims.  The court held, among other things, that the plaintiffs could pursue a claim for negligence based on Citizens Financial's online banking security practices lagging behind recommended industry standards.

Evidence offered by the Shames-Yeakels included a 2005 guidance issued by the Federal Financial Institutions Examination Council denouncing the use of single-factor authentication for protecting online bank accounts as "inadequate."  At the time the plaintiffs' account was compromised, Citizens Financial was using only single-factor authentication and had delayed upgrading to a multi-factor authentication process.  On this basis, the court found the Shames-Yeakels could pursue their negligence claim against Citizens Financial.

The decision serves as a reminder to financial institutions (and other organizations engaging in online transactions using consumer personal information) of the importance of maintaining industry standard security practices.  Review the court's decision here.