• No results found

P. O. BOX 19999, RALEIGH, NC / / FAX: 919/

N/A
N/A
Protected

Academic year: 2021

Share "P. O. BOX 19999, RALEIGH, NC / / FAX: 919/"

Copied!
7
0
0

Loading.... (view fulltext now)

Full text

(1)

P. O. BOX 19999, RALEIGH, NC 27619-9916 / 800-662-7044 / FAX: 919/881-9909

Legal Memorandum

December 16, 2009

Vol. 41, No. 9

TO: Legal Memorandum Mailing List RE: Bank Information Security Programs

In the attached legal memo, Ben Davis of the Brooks, Pierce law firm analyzes a recent court case out of Illinois that calls attention to the importance of banks maintaining rigorous information security programs. The case involved unauthorized access to a customer’s online bank account and a subsequent transfer to an overseas bank account. In the litigation between the bank and its customer over the liability for this loss, the bank’s information security systems were called into question. The court held that the bank’s failure to comply with an FFIEC regulatory guidance could be used as evidence of the bank’s negligence. As Ben explains, this is, among other things, a cautionary tale about the dangers in failing to keep pace with changes in technology.

As always, please contact us if you have any questions concerning the issues discussed in this Legal Memorandum.

Sincerely,

Nathan R. Batts Associate Counsel

(2)

164877

E-Mail Address: bdavis@brookspierce.com

December 15, 2009

Mr. Paul H. Stock

Executive Vice President & Counsel North Carolina Bankers Association P.O. Box 19999

Raleigh, North Carolina 27619-1999 Dear Paul:

A court decision from a U.S. District Court in Illinois underscores the importance of financial institutions’ information security programs. The case, Shames-Yeakel v. Citizens Financial Bank, No. 07-C5387, 2009 WL 2949500 (N.D. Ill. Aug. 21, 2009), stemmed from a security breach involving plaintiffs’ online bank accounts that resulted in a $26,500 loss. The court refused to dismiss the plaintiffs’ negligence claim against defendant Citizens Financial Bank (the “Bank” or “Citizens”) and held that a reasonable fact finder could conclude that the Bank was negligent in using a single-factor authentication system in safeguarding the accounts. This letter briefly summarizes the ruling and its significance for financial institutions in North Carolina.

Facts

In 2003, plaintiffs Marsha and Michael Shames-Yeakel, residents of Indiana, opened a $50,000 home equity line of credit with defendant Citizens, which had branches in Chicago and northwest Indiana. At the time, the plaintiffs already had a business checking account and personal accounts with the Bank. In 2007, an unknown person with an IP address different from that of the plaintiffs gained access to their online bank accounts by using Ms. Shames-Yeakel’s user name and password. This person ordered a $26,500 advance on the plaintiffs’ home equity line and deposited the amount into the plaintiffs’ business account. The thief then wired the funds to a bank in Hawaii and from Hawaii to a bank in Austria. The plaintiffs called Citizens Financial Bank ten days later to report the unauthorized transfer, but it was too late—the Austrian bank ultimately refused to return the funds.

The Bank informed the plaintiffs it would hold them liable for the loss and began billing them for the balance associated with the withdrawal. In response, plaintiffs filed suit against the Bank. Citizens subsequently filed a motion for summary judgment asking the court to dismiss plaintiffs’ claims. The court’s ruling on the Bank’s summary judgment motion formed the basis of the opinion.

(3)

Mr. Paul H. Stock December 15, 2009 Page 2

Plaintiffs made a number of claims in their suit against the Bank, including that Citizens was negligent in failing to adequately protect customers’ online accounts from fraudulent access. Specifically, the plaintiffs claimed that at the time of the theft in 2007, the Bank’s online banking security lagged behind industry standards. At that time, Citizens protected online accounts using only a user name and password, or “single-factor authentication” (although the Bank was putting a multi-factor authentication system in place). Plaintiffs argued that Citizens should have had multi-factor authentication protection at the time of the theft in 2007. They cited, and the court’s opinion quoted, an October 2005 document titled “Authentication in an Internet Banking Environment” by the Federal Financial Institutions Examination Council (“FFIEC”)1 (hereinafter the “FFIEC Report”), which applied to both retail and commercial customers and which stated:

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.

Id. at 4 (quoting FFIEC Report at 1).

Decision

The district court dismissed some of plaintiffs’ claims and allowed others to proceed to trial. Significantly, the court refused to dismiss plaintiffs’ negligence claim. The court stated that under Indiana law, banks have a common law duty to protect customers’ online accounts through sufficient security measures. “In light of Citizen’s apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.” Shames-Yeakel, 2009 WL 2949500, at *11.

Analysis

An evaluation of the significance of Shames-Yeakel for the banking industry in North Carolina must take into account several limiting factors. First, the opinion is not binding on

1

The FFIEC is a federal interagency body that advises agencies regulating financial institutions on appropriate regulatory standards. For a copy of the FFIEC’s October 2005 “Authentication in an Internet Banking Environment,” see http://www.ffiec.gov/pdf/authentication_guidance.pdf.

(4)

courts in the Fourth Circuit (the federal circuit covering North Carolina), although it could have persuasive value for North Carolina federal or state courts that consider issues involving financial institutions’ systems for protecting online bank accounts. In addition, since the ruling was in response to a motion for summary judgment, it was not a final adjudication of the Bank’s negligence. Rather, the court had to consider the evidence in the light most favorable to the plaintiffs—the non-moving party.

Second, in many cases involving breaches of customers’ consumer online deposit or credit accounts,2 federal statutes limit customer liability without considering the relative negligence of the parties involved. For example, the Electronic Funds Transfer Act3 (the “EFT Act”) and Regulation E,4 which implements the Act, limit a consumer’s potential liability for unauthorized electronic transfers from a deposit account to $50 if he or she reports the loss or theft of an ATM card or PIN within two business days of discovery.5 The Truth in Lending Act (“TILA”)6 and Regulation Z,7 which implements TILA, limit both consumer and business liability for unauthorized electronic debits to a credit card account to $50.8

Third, as a practical matter, pursuant to the FFIEC Report cited in Shames-Yeakel and related guidance from federal regulatory agencies, as of January 1, 2007, banks are required to implement multi-factor authentication (or some other form of “enhanced” protection, such as layered security, above and beyond single-factor authentication) for online account activities

2

The term “consumer” is generally defined as an individual using a deposit or credit account primarily for personal, family, or household purposes. See Reg. E, 12 C.F.R. § 205.2(b)(1); Reg. Z, 12 C.F.R. § 226.2(a)(11) and (12). 3 15 U.S.C. § 1693 et seq. 4 12 C.F.R. Part 205. 5

12 C.F.R. § 205.6(b)(1). The customer’s liability is limited to $500 as long as he or she reports any unauthorized transfer appearing in an account statement within 60 days of transmittal of the statement. 12 C.F.R. § 205.6(b)(2). Regulation E covers such things as ATM transactions and online bill payment services as well as debit card transactions. 6 15 U.S.C. § 1601 et seq. 7 12 C.F.R. Part 226. 8

15 U.S.C. § 1643; 12 C.F.R. § 226.12(b). See also United States v. Bice-Bey, 701 F.2d 1086, 1092 (4th Cir. 1983) (holding that fraudulent use of credit card account numbers qualified as fraudulent use of a “credit card” under the Truth in Lending Act).

(5)

Mr. Paul H. Stock December 15, 2009 Page 4

such as accessing customer information and funds transfers.9 Given this regulatory requirement, the effect of Shames-Yeakel on the use of single-factor authentication by North Carolina financial institutions should (hopefully) be limited.

Finally, it is not a foregone conclusion that a court applying North Carolina law would find a common law duty to protect bank customers against identity theft. In Shames-Yeakel, the court could not find an Indiana case specifically addressing the matter. Instead, it relied on decisions from Michigan and New York courts that found such a duty.

North Carolina courts have not addressed whether banks have a common law duty to prevent identity theft involving bank customers. The North Carolina Supreme Court stated, in a 1962 opinion, that “[d]epositors have the right of secrecy. A bank therefore is under an implied obligation to keep secret its records of accounts, deposits, and withdrawals.” Sparks v. Union Trust Co. of Shelby, 124 S.E.2d 365, 367 (N.C. 1962) (quoting 5 Zollman, Banks and Banking (Perm.Ed.) § 3413, 379-80). The Sparks court, however, considered whether a bank had a duty to disclose adverse information about its customer to another party about to enter into a business deal with the customer. It was in that context that the supreme court stated that a bank had an obligation to keep customer information confidential. It would require a significant leap from the Sparks opinion to find that banks have a common law duty (apart from any contractual or statutory duties) to actively protect customer information from malicious third party hackers.10

9

See FFIEC Report. The FDIC issued a Financial Institution Letter dated October 12, 2005 (FIL-103-2005), which attached the FFIEC Report and stated (i) “single-factor authentication methodologies may not provide sufficient protection for Internet-based financial services” and (ii) “Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.” The FDIC issued a second Financial Institution Letter dated August 21, 2006 (FIL-77-2006), in which it attached the FFIEC’s “Frequently Asked Questions on Authentication in an Internet Banking Environment,” dated August 16, 2006 (hereinafter the “FAQ”). One question in the FAQ asked if an institution could perform a risk assessment and conclude that stronger authentication is not warranted. In response, the FAQ specifically stated “[a]n institution’s risk assessment may conclude that existing controls are appropriate. However, such a conclusion would not be justified if the institution’s electronic banking systems use single-factor authentication as their only control for high-risk transactions involving access to customer information or the movement of funds to other parties.” Id. at 3 (emphasis added).

10

The South Carolina Supreme Court may have taken a step in the other direction. In Huggins v. Citibank, N.A., 585 S.E.2d 285 (S.C. 2003), the South Carolina Supreme Court considered a case in which a noncustomer sued various banks under the theory that the banks were negligent in issuing credit cards to an unknown imposter. The court refused to recognize the tort of negligent enablement of imposter fraud. The South Carolina Supreme Court stated that “[t]he relationship, if any, between credit card issuers and potential victims of identity theft is far too attenuated to rise to the level of a duty between them. Even though it is foreseeable that injury may arise by the negligent issuance of a credit card, foreseeability alone does not give rise to a duty.” Id. at 277.

In Eisenberg v. Wachovia Bank, 301 F.3d 220 (4th Cir. 2002), a victim of a fraudulent investment scheme appealed the dismissal of negligence claims he had brought against Wachovia Bank. Wachovia had opened an unauthorized account in the name of Bear Stearns, which account was used to deceive the investor. The Fourth Circuit, in affirming the dismissal, held that under North Carolina law, the bank did not owe a duty of care to a (footnote continued on the next page)

(6)

While the foregoing limitations suggest Shames-Yeakel, by itself, may not have a sweeping effect on North Carolina financial institutions, the opinion is still noteworthy for a couple of reasons. First, it is an important reminder that online security systems can easily be compromised if they are not reviewed and updated on an ongoing basis. As previously illustrated, such intrusions often result in a bank paying for the theft out-of-pocket without ever going to court, as consumer protection statutes (such as the Truth in Lending Act and the EFT Act) limit customer liability in many cases. A reduction in identity theft through improved information security systems can therefore positively impact a financial institution’s bottom line.

Second, the opinion illustrates that even when a customer’s liability is not automatically limited by statute, in some cases the bank may have to prove its online security system meets “industry standards.” These situations may arise even in the absence of a “common law” duty imposed by courts. For example, a wire transfer initiated via an online banking service would be exempt from the EFT Act.11 Instead, the provisions of Article 4A of the Uniform Commercial Code, which governs wire transfers, would normally apply.12 Article 4A allows banks to shift liability to customers for unauthorized transfers, provided the bank followed a “commercially reasonable” security procedure in accepting a payment order.13 Whether a security procedure is “commercially reasonable” under Article 4A is a question of law to be decided by a judge.14 The Official Commentary to the UCC states that “a security procedure that fails to meet prevailing standards of good banking practice applicable to the particular bank should not be held to be commercially reasonable.”15

In such cases, compliance with regulatory requirements is a necessity—if the government has already declared a particular level of security is insufficient for financial institutions, it may be exceedingly difficult to convince the judge or jury otherwise. As previously stated, the court

noncustomer with whom the bank had no direct relationship. Id. at 226. Of course, the opinion arguably left the door open for a bank customer that has been the victim of identity theft to bring negligence claims against the customer’s bank.

11

Reg. E, 12 C.F.R. § 205.3(c)(3) (“[T]he term electronic fund transfer does not include . . . [a]ny transfer of funds through Fedwire or through a similar wire transfer system that is used primarily for transfers between financial institutions or between businesses.”).

12

N.C. GEN. STAT. Chapter 25, Article 4A.

13

N.C. GEN. STAT. § 25-4A-202(b).

14

N.C. GEN. STAT. § 25-4A-202(c).

15

(7)

Mr. Paul H. Stock December 15, 2009 Page 6

in Shames-Yeakel held that the fact that Citizen’s failed to comply with the FFIEC regulatory guidance could be used as evidence of its negligence.16 Of course, meeting regulatory requirements is a necessary, but not sufficient, to show an information security program meets “industry standards.”

Conclusion

Shames-Yeakel v. Citizens Financial Bank is a timely reminder of the importance of financial institutions’ information security systems. Financial institutions cannot perform a risk assessment of their systems and procedures, implement changes based on the assessment, and then rest on their laurels. This is an area where someone in the bank (or at least working with the bank) must stay abreast of new risks and new technological offerings. Banks should make decisions about what is “commercially reasonable” in light of the reasonably foreseeable risks in their software applications, while keeping in mind that what is considered commercially reasonable will change over time as technologies and threats evolve. The alternative may involve becoming a cautionary tale of the perils of complacency.

Sincerely, J. Benjamin Davis 16 Shames-Yeakel, 2009 WL 2949500, at *11.

References

Related documents

Tema ovog diplomskog rada je terminologija blockchain tehnologije. Blockchain, ili ulančani blokovi recentna su tehnologija za koju se pokazao izniman interes na

Commonwealth shall, after compliance with section 1301.11, where required, and on or before April 15 of the year following the year in which the property first became subject

Pleasant (DowntowAUTHORIZE PE-D

High outdoor PM concentrations, limited ven- tilation in schools during winter, and resuspension of particles are the most probable reasons for the ele- vated indoor PM

• Life • Accidental Death & Dismemberment (AD&D) • Dependent Life • Short Term Disability • Long Term Disability • Optional Life & AD&D Please note that

These latter effects may be due to a RESPIRATORY DYSKINESIA, involving choreiform movement of the muscles involved in respiration or abnormalities of ventilatory pattern

This article considers the current racheting up of the counter-terror response, triggering a mass of new and proposed counter-terror measures, partly in the

However, while this has been official state policy, the reality is that the federal and the state governments are often responsible for the grabbing of Adivasi lands through