Should Banks Pay When Passwords Breached?

The question of whether a banking institution is financially responsible for a breach of a consumer’s online financial account information is one that courts are being asked to consider in two separate cases – one a federal case in northern Illinois, the other in York County Superior Court in Maine.

The Maine case, filed by the Patco Construction Company against Ocean bank, a division of the Bridgeport, Conn.-based People’s United Bank arises out of the institutions alleged “failure to fulfill one of its most basic obligations, namely, to protect its customers’ funds against theft,” according to the complaint available online via The Washington Post. 

According to Post tech blogger Brian Krebs, thieves hijacked the construction firm’s online banking credentials and transferred some $588,000 over an eight-day period in May 2009.

Meanwhile, a U.S. District Court judge in Illinois recently ruled Marsha and Michael Shames-Yeakel can continue with their their lawsuit [pdf] alleging the Illinois-based Citizens Financial Bank “failed to guard access to [the Shames-Yeakel] account with adequate security features.”

Thieves transferred $26,500 from the Indiana couple’s home equity line of credit (HELOC) to the couple’s business account before wiring the funds to a bank in Hawaii, and then on to a bank in Austria, the complaint alleges.

Judge Rebecca Pallmeyer allowed the couple’s negligence claim to stand, noting, by Computerworld's account, that a “reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.”

Gartner analyst John Pescatore told Dark Reading he doesn’t expect the couple will have much success. “The real issue is the user’s responsibility to protect their passwords, just as it is the car driver’s responsibility to protect the car keys,” he said.

As for Patco, Ocean Bank’s ebanking and bill payment agreement states that commercial customers “assume all liability and responsibility to monitor those commercial accounts on a daily basis. In the event that you object to any ACH debit, you agree to notify us of your objection on the same day the debit occurs,” according to the Post. Patco attorney Daniel J. Mitchell counters that the contract between his client and the bank doesn’t absolve the institution of responsibility for protecting its customers from fraud. “The bank says that under the law, it’s all our problem, and we disagree,” Mitchell told the Post.

All the more reason to keep a close eye on your online financial accounts — whether they’re personal or corporate.


Blogger Highlights Role of “Money Mules”