David Johnson’s review of Shames-Yeakel v. Citizens Financial Bank centers around concepts of “expeditious implementation” and “state-of-the-art” security measures.
At issue is whether Citizens can be held liable for negligence in a data breach case.
The plaintiffs claimed that while Citizens had begun to make some of these [multi-factor authentication] changes in 2007, it should have adopted them years earlier. They pointed to a 2005 documents authored by the Federal Financial Institutions Examination Council (FFIEC) with found that single factor authentication was inadequate and discussed tokens as an alternative. See http://www.ffiec.goc/pdf/authentication_guidance.pdf.
Noting these facts, the Court concluded: “In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of facts could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.” Accordingly, the Court let the plaintiffs’ negligence claim go forward.
The Court’s conclusion in this case is not surprising. It is very difficult for a defendant to meet the summary judgment motion standards on the element of standard of care. However, the Court’s decision that a failure to expeditiously implement state-of-the art security procedures can constitute a breach of the standard of care is also an indication of how a jury might decide this case, as well. Cyber-security may be a rat race. Unfortunately, you may not be able to stop running.
Definitely an interesting case to watch. Multi-factor authentication specified by the FFIEC has been implemented in various manners by banks to “comply” with the letter. The case hopefully will therefore explore what constitutes a reasonable level of security for this one control and beyond (i.e. should everything center on this one vulnerability, and the failure to address it, or is weak authentication just a symptom of wider negligence). The bank will have a hard time explaining the reason(s) for delay, which could help provide a more formal idea to others of how to prioritize security within their compliance programs. The case may also help regulators step up their audits as they can now point to negligence claims as a sort of bad-cop enforcement scenario — auditors may play up the good-cop trying to help a bank avoid trouble down the road.