US Court rules a bank can be sued for their failure to adopt multi-factor authentication

Late last month an Illinois District Court ruled a bank can be sued for their failure to adopt multi-factor authentication and concluded the bank breached its duty to protect the Plaintiffs' account against fraudulent access, and if the bank's failure to adopt multi-factor authentication caused fraudulent access to plaintiffs' account, it could be held liable for negligence.

In 2007, a hacker gained access to the plaintiffs' online accounts by using the plaintiffs’ username and password. The hacker ordered a $26,500 advance on the plaintiffs’ home equity line of credit, which was transferred to a bank in Austria. When the theft was discovered and the funds traced, the Austrian bank refused to return the money.

Citizens Bank notified the plaintiffs that it intended to hold them liable for the harm. The online banking agreement between Citizens and the plaintiffs stated "We will have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice." Citizens billed the plaintiffs for the $26,500, and when failed to pay the balance on time, Citizens reported the account as delinquent to credit bureaus, and threatened to foreclose on their home, if the plaintiffs continued to refuse to make payments.

The plaintiffs sued Citizens, claiming that the bank's actions violated the Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.), the Truth in Lending Act (15 U.S.C. § 1601, et seq.), the Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.) and constituted common law negligence.

The Court ruled, "In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access[,]" and if the bank's failure to adopt multi-factor authentication caused fraudulent access to plaintiffs' account, it could be held liable for negligence.”

follow the source link for more