An Illinois district court has allowed a couple to sue their bank on the novel grounds that it may have failed to sufficiently secure their account, after an unidentified hacker obtained a $26,500 loan on the account using the customers' user name and password.

As reported by the blog New York Criminal Defense, David Johnson, Marsha and Michael Shames-Yeakel sued Citizens Financial Bank in 2007 in the northern district of Illinois on several grounds, including a claim that the bank failed to provide state-of-the-art security measures to protect their account.

U.S. District Judge Rebecca Pallmeyer refused last week to grant a summary judgment in favor of Citizens Financial, stating in her ruling (.pdf) that "assuming that Citizens employed inadequate security measures, a reasonable finder of fact could conclude that the insufficient security caused Plaintiffs’ economic loss."

Larry Smith, an attorney for the Shames-Yeakels, told Threat Level that he's surprised and happy by the judge's ruling, particularly since the negligence claim was not the meat of their case against the bank.

"It's a novel claim of negligence that we're bringing," he said. "We were sort of throwing it out there. That was not at the forefront of our minds in going forward with the case that we've got to keep the negligence case alive."

The couple, who run a home-based bookkeeping, accounting and computer programming business, have been customers of Citizens Financial, which is based in Illinois, for 30 years. They maintained personal and business checking accounts with the bank as well as a $30,000 home equity line of credit, which was linked to the business checking account. [The judge's ruling indicates the credit line was $50,000, but the plantiffs' lawyers say this is incorrect.]

In February 2007, someone with a different IP address than the couple gained access to Marsha Shames-Yeakel's online banking account using her user name and password and initiated an electronic transfer of $26,500 from the couple's home equity line of credit to her business account. The money was then transferred through a bank in Hawaii to a bank in Austria.

The Austrian bank refused to return the money, and Citizens Financial insisted that the couple be liable for the funds and began billing them for it. When they refused to pay, the bank reported them as delinquent to the national credit reporting agencies and threatened to foreclose on their home.

The couple sued the bank, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, claiming, among other things, that the bank reported them as delinquent to credit reporting agencies without telling the agencies that the debt in question was under dispute and was the result of a third-party theft. The couple wrote 19 letters disputing the debt, but began making monthly payments to the bank for the stolen funds in late 2007 following the bank's foreclosure threats.

In addition to these claims, the plaintiffs also accused the bank of negligence under state law.

According to the plaintiffs, the bank had a common law duty to protect their account information from identity theft and failed to maintain state-of-the-art security standards. Specifically, the plaintiffs argued, the bank used only single-factor authentication for customers logging into its server (a user name and password) instead of multi-factor authentication, such as combining the user name and password with a token the customer possesses that authenticates the customer's computer to the bank's server or dynamically generates a single-use password for logging in.

At the time of the theft, Citizens had been in the process of issuing such tokens to customers, but the plaintiffs say they were too slow in rolling out this security measure. They pointed to a 2005 document from the Federal Financial Institutions Examination Council, which concluded that single-factor authentication was inadequate, and said that Citizens lagged behind other banks in offering this feature.

Citizens used a company named Fiserv to provide its online banking services, including information security services, and argued that Fiserv had a solid reputation in the banking industry and that its security measures were not the cause of the money transfer.

The bank also pointed to its online user agreement, which it said released it of liability. The agreement stated to customers that it would "have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice."

Judge Pallmeyer, however, was not convinced. She found court precedents showing that financial institutions have a common law duty to protect their customers' confidential information against identity theft. Specifically, Indiana courts – where the Shames-Yeakels live – have held that a bank “has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest.” The judge therefore concluded in part that, "If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."

With regard to Citizens' slow rollout of tokens to customers, Judge Pallmeyer stated that, "In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access."

She also concluded that the plaintiffs had grounds for claiming that the bank may have violated the FCRA in reporting them as delinquent to credit reporting agencies without revealing to the agencies that the outstanding debt was under dispute.

Plaintiffs attorney, Smith, said it's unclear yet if they will use the negligence issue to spearhead their case against the bank, but he said, "Hopefully, we'll get the jury angry enough with what's going on with this story. I think the story in and of itself brings in enough facts into each cause of action that we have."