Posted on August 4, 2010 by David Navetta

FAQ on the "BEST PRACTICES Act" - Part Two

We recently published the first part of our FAQ series on Congressman Bobby Rush's new data privacy bill known as “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (a.k.a. “BEST PRACTICES Act” or “Act”). In Part One we looked at some of the key definitions and requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the “Safe Harbor” outlined in the Act, various exemptions for de-identified information, and application and enforcement of the Act.

What is the “Safe Harbor and Self-Regulatory Choice Program” that is referenced in the Act?

This appears to be a novel new mechanism that allows covered entities to avoid certain obligations under the Act if they fall into a “safe harbor” that is based on a self regulatory program (known as a “Choice Program”). In particular, covered entities that satisfy certain Choice Program requirements shall not be subject to:

  • the express affirmative consent obligations in 104(a);
  • the requirements of access to information under section 202(b) of the Act; or
  • liability in a private right of action brought under section 604 of the Act (discussed below)

Avoidance of the Act’s private right of action is especially significant in this context.

How does the “Choice Program” work?

It appears that people or entities (it does not appear to be limited to covered entities) can submit an application to the FTC for approval of a self-regulatory program (a.k.a Choice Program). The FTC can approve one or more of these programs. The FTC must either initially approve or deny a Choice Program within 270 days after the submission of the application. Modifications may be made to a Choice Program that was initially approved, and such modification must be approved or denied by the FTC within 120 days. Applicants have the right to appeal the FTC’s decision or failure to act within the 270 period to a U.S. District Court.

The FTC will only approve a Choice Program (or amendments) after notice and comments, and only if it satisfies the requirements of section 403 of the Act. If approved, a Choice Program remains approved for 5 years.

This section is very interesting as it appear to allow for some regulatory flexibility and recognizes the limitations of a one-sized-fits-all approach. Ostensibly certain industry segments could develop a Choice Program that more close fits their business model/industry (while of course still providing the protection and choice the Act seeks to impose).

What are the requirements of a Choice Program under section 403 of the Act?

In order to be approved a Choice Program must meet certain criteria. The Choice Program must provide individuals with:

  • a clear and conspicuous opt-out mechanism that, when selected by the individual prohibits all covered entities participating in the Choice Program from disclosing covered information to a third party for one or more specified uses, and may offer individuals a preference tool to enable individuals to make more detailed choices about the transfer of covered information to a third party; and
  • a clear an conspicuous mechanism to set communication preferences, online behavioral advertising preferences and other relevant preference options, and these preference would have to be followed by all covered entities in the Choice Program.

I almost think of this as a sort of “do not call list” type of mechanism. If a group of covered entity can agree to provide individuals with a set of choices, the individual does not have to constantly make a choice over and over again whenever engaging in particular transactions. While this is a little vague in terms of its mechanics and scope, it is very interesting and could provide meaningful trade-offs between business and individuals seeking to protect their privacy and more efficiently control their information.

In addition, a Choice Program will be approved by the FTC only if it establishes:

  • Guidelines and procedures requiring participants to provide equivalent or greater protection for individuals and their covered information as set forth in titles I and II of the Act;
  • Procedures for reviewing applications by covered entities to participate in the Choice Program (this appears to require an application and approval process, but it is not clear who would administer that process)
  • Procedures for periodic assessment of the Choice Program’s procedures
  • Periodic compliance testing of covered entities participating in the Choice Program; and
  • Consequences for failure to comply with program requirements (e.g. public notice, suspension, expulsion or referral to the FTC)

Again, this provision is extremely interesting. It would appear to require some sort of private regulatory body be set up around the Choice Program (e.g. like the PCI Council for the PCI Standard), as well as a funding mechanism. Note that under section 404 of the Act, the FTC is charged with implementing regulations to provide further details as to how this safe harbor system is to work.

Are there any types of information or activities exempted from regulation by the Act?

Yes, section 501 of the Act sets forth some general exclusions. The Act does not prohibit a covered entity from collecting, using or disclosing:

  • Aggregate information (see 501(a)(1)), which means data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed; or
  • Covered information or sensitive information from which identifying information has been removed or obscured using reasonable/appropriate methods such that there is no reasonable basis to believe that the information can be used to identify the specific individual to which it relates or the computer or device owned or used by a specific individual (see 501(a)(2)).

May covered entities disclose aggregate information or information stripped of identifying information (as referenced in section 501(a)(1) and (2)) to third parties?

Yes, under section 502 information in that format may be disclosed to a third party, but the covered entity is required to take reasonable steps to protect that information. The Act provides two examples of “reasonable steps to protect,” including:

  • refraining from disclosing to the third party the algorithm or other mechanism used to obscure or remove the identifying information, and obtaining; and
  • obtaining satisfactory written assurances from the third party that it will not attempt to reconstruct the identifying information.

Does the Act prohibit any uses of covered/sensitive information stripped of identifying information (as referenced in section 501(a)(2))?

Yes, under section 501(c), if a covered entity claims the exemption for de-identified information under section 501(a)(2), it is unlawful for any person to reconstruct or reveal the identifying information that has been removed or obscured from information stripped of identifying information (as referenced in section 501(a)(2)). In short, the Act makes it illegal for third parties that receive de-identified covered/sensitive information to re-identify it. However, the Act also requires the FTC to promulgate regulations to establish exemptions from this rule.

How does the Act relate/interact with other Federal privacy laws?

Section 502 of the Act indicates that, unless expressly provided for in the Act, the Act shall not have any effect on activities already covered under other Federal laws, including GLBA, FCRA, HIPAA, certain parts of the Social Security Act, COPPA, certain sections of the Communications Act of 1934, CAN-SPAM Act, ECPA, and the Video Privacy Protection Act. On the one hand, this provision may be helpful for limiting the scope of the Act’s application to some entities, especially those that only deal with particular types of personal information. However, since the Act does not override other Federal requirements, entities that deal with different types of personal information in different contexts, may find themselves with the need to address multiple regulatory regimes for different parts of their organization or with respect to different business practices.

How is the Act to be enforced by government agencies?

Under section 602, the Act may be enforced in two different ways by the government. First, the Act grants the FTC the authority to enforce the Act under section 18(a)(1)(B) of the FTC Act. The Act indicates that any violation of titles I – III of the Act shall be considered an unfair and deceptive act or practice under the FTC Act. The penalties, privileges and immunities of the FTC Act shall apply as well.

Second, under section 603, the Act may also be enforced by the states. In particular, if a State AG or an official or agency of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by a violation of the Act, they may bring a civil action on behalf of those residents. However, no AG or state official/agency may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. The civil action may seek to enjoin further violation of the Act, compel compliance with the Act or impose civil penalties as described in the Act. The Act describes the various civil penalties that are available for violations of particular sections of the Act. In general penalties may be available for every day that a covered entity is not in compliance with the act, up to $11,000 per day. These penalties, however, are capped at $5 million for a related series of violations under title I of the Act, and $5 million for any related series of violations under titles II and III of the Act.

Does the Act provide a privacy right of action?

Yes, section 604 of the Act provides a private right of action for certain violations. In particular, covered entities that willfully violate sections 103 or 104 of the Act may be liable to affected individuals. However, no individual may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. Section 604 provides that affected individuals may recover the following amounts for such a willful violation:

  •  the greater of actual damages of not less than $100 and not more than $1000;
  •  punitive damages;  and
  • in the case of a successful action under this section, the costs of the action together with reasonable attorney fees.

Individuals have two years from their discovery of a violation (or reasonable opportunity to discover) to bring a civil action under section 604.

Does the Act preempt similar State laws?

The Act would preempt any State law with respect to covered entities that “expressly requires covered entities to implement requirements with respect to the collection, use or disclosure of covered information address in the Act. However, the Act specifically would not preempt any of the following State laws:

  • State laws that address the collection, use or disclosure of health information or financial information
  • State breach notice laws
  • State trespass, contract or tort law; or
  • Other State laws to the extent that those laws related to acts of fraud.

When would the Act come into effect if passed into law?

The Act, if passed, will take effect 2 years after the date it is enacted. However the FTC has the option to stay enforcement of the Act in order for the FTC to establish the parameters of the Choice Program under title IV.
Tags: , , , , , , , , ,
Posted on February 24, 2010 by David Navetta

The Curious Case of EMI v. Comerica: A Bellwether on the Issue of "Reasonable Security"?

Security breaches in the online banking world continue to yield interesting lawsuits (you can read about three others in this post). The latest online banking lawsuit filed by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”) provides some new wrinkles that could further illuminate the boundaries of “reasonable security” under the law. Brian Krebs has a good article summarizing the case. In addition, bankinfosecurity.com has a recent article on this matter (in which yours truly was quoted). In this post we take a look at the EMI Lawsuit, consider some legal questions that the case raises, and analyze how it might impact the question of what constitutes “reasonable security” under the law.

The Allegations

On a general level the EMI Lawsuit involves a basic fact pattern that is similar to several online banking security breach cases: criminals were able to obtain the login credentials of a bank’s business customer and wire transfer large sums of money from the customer’s account (in the EMI lawsuit approximately $560,000 was allegedly wired). Like other online banking cases, the bank in this case (Comerica) did not reimburse EMI for the unauthorized wire transfers, and this lawsuit was eventually filed.

However, the EMI Lawsuit differs in two substantial ways from the online banking cases InfoLawGroup previously reported on. First, unlike the other online banking breach suits, in the EMI Lawsuit, Comerica had implemented (and EMI was using) 2-factor authentication.  In particular, Comerica had implemented a token-based 2-factor system. It appears that Comerica online banking customers where provided with a physical token that generated random numbers at various regular time intervals (e.g. the token number was always changing at regular interval). To utilize online banking, Comerica customers would have to input their username and password as well as the random number showing on their token. Without all three pieces of information, logging into Comerica's online banking would not be possible.

Second, in other the lawsuits, it was not known (or at least unclear from the compliant) how the criminals obtained the banking customer’s online banking credentials. In the EMI Lawsuit, however, the bad guys allegedly obtained EMI’s login credentials through a “phishing attack.”  EMI alleges that one of its employees was tricked into giving those login credentials to the criminals via a spoofed email that purported to be from Comerica. This fake email was allegedly similar to those sent by Comerica to EMI in the past.  Apparently the EMI employee would have provided not only user name and password, but also the random number from the token. The complaint alleges that the thieves were able to conduct about 97 money transfers over a period of approximately 6 ½ hours.

Analysis

This case raises several interesting legal issues. In fact, this case could ultimately illuminate how courts view the scope of a “reasonable security” duty.

Existence and Scope of a “Reasonable Security” Duty.

One of the issues that will be key in this case is whether the bank has a legal duty to prevent these types of phishing attacks. The Shames-Yaekel case has recognized a general duty to protect a customer's online banking accounts. In that case, however, it is unclear how the bad guys obtained the banking customer's online credentials. This case is a little different because phishers were able to trick the customer into volunteering its online banking credentials. Assuming a general duty exists, the question is whether that duty extends to preventing (or reducing the risk of) its customers from being duped by social engineering attacks like phishing.

On that issue, In the EMI Lawsuit (like many of the other online banking lawsuits) the plaintiffs allege that Comerica failed to comply with the “commercially reasonable” security procedure requirement under Michigan’s version of UCC 4A202 (MCLA 440.4702(2)), which provides in relevant part:

(2) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted.

Subsection (3) explains how “commercial reasonableness” is to be determined under MCLA 440.4702(2):

(3) Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.

Significantly, the existence of a duty and whether Comerica's security procedures were commercially reasonable under MCLA 440.4702(2)) are questions of law, and will be decided by the Court, not a jury. Also of note, some of the plaintiffs’ allegations track to the factors laid out in MCLA 440.4702(3), including allegations that EMI had only performed two wire transfers in the two years prior to the attack.  From a legal standpoint, assuming this case does not settle, since this is a question of law, we could see some actual briefings and a court decision on the issue of reasonable security.

One of the factors that courts look to in order to determine whether a duty exists and its scope is forseeability -- was this attack and/or the resulting harm foreseeable by the bank? In fact, EMI alleges that the secure token technology was one that was already known to fail. On this issue, in general, we know that phishing attacks have been around for awhile. We also know that banks and other organizations have developed approaches to try to prevent these types of attacks. Finally, security professionals tell me that use of phishing to foil two-factor authentication is also a risk that has been discussed in the past. In fact, a similar phishing attempt spoofing a Citibank online banking portal was reported back in 2006.  As such, we will likely see significant arguments from both sides on this issue.

“Reasonableness,” Industry Standards and Tug Boats

This case is interesting because Comerica was actually using 2-factor authentication. In the Shames-Yeakel matter, the court ruled that the failure of the bank to use two-factor authentication as suggested by FFIEC guidance created a question of fact appropriate for a jury. Thus, unlike Shames-Yeakel and other online banking cases, at least with respect to authentication, it appears that Comerica was meeting what some would call the "industry standard.”

However, at this point in time it is possible that a court could rule that 2-factor authentication only serves as a floor, and industry standards for online banking security may have evolved further. In other words, to the extent this “man in the middle” type of attack was known and there are methods for addressing it (especially in the phishing context), the “industry standard” for online banking may be 2-factor authentication PLUS other security measures. Again, plaintiffs allege several other measures they believe should have been in place, including verifying the computer sending the wire transfer instructions, security testing and fraud monitoring programs.  The key issue here will be determining what other similar banks are doing to address this risk.

Moreover, even if 2-factor authentication is considered the “industry standard,” under the law an entire industry may not be implementing reasonable security. The rationale for this was explained by Judge Learned Hand in the famous (for first year law students at least) T.J. Hooper case. In T.J. Hooper, the plaintiffs were shipping two barges full of cargo when the ships encountered a storm. The barges were accompanied by two tugboats owned by the defendants. Unfortunately the tugs were unable to safely pull the barges from the storm and the cargo they carried was lost. The plaintiffs asserted that the defendants were negligent because their tugboats were not equipped with effective radio sets capable of receiving warning of the storm. The defendants argued that they did not owe the plaintiffs a duty to carry such a radio because they were a new technology and it was not a common practice in the tugboat industry to carry such radios. Judge Learned Hand disagreed:

Indeed in most cases reasonable prudence is in fact common prudence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices. . . . Courts must in the end say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission.

What is the import of this? Under the law for purposes of negligence, a defendant can avoid liability even if a plaintiff suffered harm as long as the defendant did not breach its duty of care. In this context if the bank's security measures where "reasonable" under the law it would not be liable. I think the fact that the bank used 2-factor authentication and can point to the FFIEC guidance will help its cause in this respect. Nonetheless, it is possible the court will rule either that industry standards have evolved further or that the entire online banking industry was “lagging” behind in its reliance on 2-factor authentication. From a legal perspective it will be very interesting to watch the court’s analysis on the issue of reasonableness as it relates to industry standards (and hopefully it will provide more guidance for lawyers and banks going forward).

What about EMI’s fault?

There is a concept in the law called contributory negligence (or comparative negligence). You can read more about it here. Essentially this concept recognizes that a plaintiff (the bank customer in this case) may have also been negligent and may have contributed to the harm it allegedly suffered. In some States if the plaintiff was more than 50% responsible, it would be barred from any recovery. Other states, including Michigan (where the EMI Lawsuit was filed) employ a “modified comparative negligence” approach. Using this approach, if the plaintiff was 60% negligent and the bank 40%, the bank would be responsible for only 40% of the plaintiff's loss. I think there is likely a good argument to be made that EMI should bear some of the responsibility for the unauthorized use of their online banking accounts. In fact, if you read Comerica’s answer to EMI’s complaint you will see that Comerica appears to be taking that position:

16. Denied that the alleged website “appeared to be a Comerica website” to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.

26. Denied that any perpetrators infiltrated EMI’s bank accounts. Valid credentials assigned to an EMI employee were used to authenticate a logon for purposes of online banking transactions. If some unknown criminals used those credentials, rather than the EMI employee to whom they had been entrusted, this was caused solely by the actions of that EMI employees.

Whether EMI bears some responsibility will be a very fact-intensive inquiry that will include an analysis of the spoofed email, Comercia's previous practices concerning requests for login-credentials and the actions and decision-making process of the employee that provided the credentials to the criminals.

Conclusion

In general, I believe that these online banking cases have more legs than other types of security breach lawsuits because the plaintiffs have suffered actual damages/harm. Evidence of this is the Shames-Yeakel case, which proceeded past a motion for summary judgment. Contrast this with the numerous security breach cases brought by consumers that have been dismissed relatively early in litigation. In those cases, the plaintiffs whose information was stolen have argued that they suffered harm because they had to pay for credit monitoring. Courts have more or less consistently rejected this argument. For online banking cases, plaintiffs don’t have that problem. In this case the plaintiff is out hundreds of thousands of dollars, so damages are clear.

So if a plaintiff can get past the motion to dismiss phase on the issue of damages, do the defendants have an opportunity to get a summary judgment (rather than risk having to present their case to a judge and jury – something every company likes to avoid, if possible). The problem for banks is that the issue of whether a bank’s security measures were “reasonable” is likely a “question of fact.” Courts are typically not willing to grant summary judgment where questions of fact exist for a jury to decide.

That said, this case is a little different than those in my other blog post because of the phishing issue and because the issue of commercial reasonableness is a question of law under MCLA 440.4702(2). Whether a duty exists under the law is typically a question of law that Courts (as opposed to juries) typically decide. I think there will be a battle at both the pleading and summary judgment phase with the banks trying to argue that they have no duty under the law to prevent their customers from being duped and that their practices were commercially reasonable 440.4702(2).  If Comerica does not win these argumenst then this case could go to a jury, which poses legal risk.
Tags: , , , , , , , , , , , ,
Posted on January 14, 2010 by David Navetta

Online Banking and "Reasonable Security" Under the Law: Breaking New Ground?

With the report of another data security-related lawsuit involving online banking (another 2009 lawsuit referenced here involved an alleged loss of over $500,000), and a recent victory for a plaintiff on a summary judgment motion in a similar online banking data security breach case, the question arises whether online banking breaches will yield some substantive case law on the issue of “reasonable” security procedures as a matter of law. Ironically, this question may be answered by reference to a 20 year old model code (UCC 4A) originally drafted to address technological advances from that era. This post explores two complaints recently filed against banks for online banking  (Patco Construction Co. v. People’s United Bank ("PATCO”) and JM Test Systems, Inc. v. Capital One Bank ("JMT")) and a court’s ruling on a motion for summary judgment in similar lawsuit (Shames-Yeakel v. Citizens Bank Memo and Memo Order on Motion for Summary Judgment – “Shames-Yeakel” case).  In short, since the Shames-Yeakel case proceeded past the "damages" pleading phase, it (and possibly these other online breach suits) reveals how some courts view security "standards" and approach the question of whether a company has achieved "reasonable security."  I also believe they demonstrate the difficulty defendants face if they have to defend their security measures in a litigation context after a security breach.

Plaintiffs’ Allegations

In general, these matters involve a fairly consistent general set of allegations: 

  • the bank allowed a small business to utilize online banking, including ACH transfers;
  • nefarious third parties somehow gained access to the plaintiffs’ online banking account (e.g. login credentials such as username, password, “secret question”, etc.), which allowed them to use the online banking system to transfer (a.k.a. steal) funds out of the plaintiffs' bank account;
  • the bank failed to provide notice to the plaintiffs of unusual or suspicious activity; and
  • the bank’s security measures did not prevent the fraudulent transfers and were not commercially reasonable.

In addition, the following facts were alleged in one or more of the three cases:

  • the bank failed to block a transfer request from an IP address that was previously unused by the plaintiff (e.g. an IP address was different than typically used by the plaintiff);
  • the bank did not utilize multifactor-factor authentication (e.g. “token-based” authentication or fax confirmation);
  • the allowable daily transfer limit vastly exceeded the plaintiffs’ average/maximum daily transfers (e.g. in PATCO, the daily maximum limit was $750k, but the most PATCO ever needed to transfer was $36.6k);
  • the funds were transferred to individual accounts to which the plaintiffs had never transferred funds before; and
  • despite having been informed of unauthorized transactions by the plaintiff, the bank did not close the account in order to prevent more fraudulent transactions (JMT case only).

Alleged Legal Theories

Based on these facts the plaintiffs asserted various causes of action against the banks relating to security practices. In both PATCO and JMT, the plaintiffs referenced the bank’s failure to comply with section 4A-202 (ISSUE AND ACCEPTANCE OF PAYMENT ORDER) of the Uniform Commercial Code (in PATCO the plaintiffs cited MRSA 4-1202 and in JMT they cited RS 10:4A-202). Under 4A-202, as long as the bank and its customer have agreed that the customer will be verified pursuant to a “security procedure”, a payment order received from the customer will be considered an effective order by the customer, whether it was actually authorized by the customer, but only if the security procedure was “commercially reasonable” and followed by the bank.   In PATCO, for example, the plaintiffs alleged that 4A-202 had been violated for the following reasons:

  • failure to offer/use multi-factor authentication to authenticate the plaintiffs’ identity for online transactions;
  • use of an unreasonably low trigger for “challenge question” authentication;
  • failure to provide and IP address block that would block orders originating from unapproved IP addresses;
  • failure to detect fraud because the amounts of the payments were the largest ever made under the account, were sent to accounts to which funds had never been transferred, originated from an IP address that had never previously been used and occurred on days that the plaintiff normally did not may payments;
  • failure to offer a dual control option requiring two people to log on in order to complete a payment transaction;
  • allowing a transfer limit that exceeded the needs of the plaintiff;
  • failure to manually review ACH payment batches prior to submission for payment; and
  • failure to provide email alerts concerning unusual transactions.

In addition to a UCC violation, all of the cases included allegations of negligent security and breach of contract. In Shames-Yeakel, the plaintiffs alleged that the bank’s failure to implement multi-factor authentication did not comply with a document put out by the Federal Financial Institutions Examination Council (“FFIEC”) entitled “Authentication in an Internet Banking Environment” (the FFIEC Report), and therefore presented questions of fact as to negligence. The JMT plaintiff, in support of its negligence claim, alleged a failure to meet the security standards of “similarly situated” national banks,  a failure to implement security procedures that were “commercially reasonable,” and a failure of the bank to comply with its own existing security procedures.

The Judgment on the Shames-Yeakel Motion for Summary Judgment

While the PATCO and JMT complaints have not yet been tested on motion, the Shames-Yeakel plaintiffs have survived a summary judgment motion. In addition to other statutory claims that were particular to the fact pattern at hand, and relevant to this blogpost, the plaintiffs alleged that the bank was negligent in failing to protect the plaintiffs’ online account, and in particular breached its duty to sufficiently secure its online banking system. 

As such, the threshold question the court addressed was whether a duty to “sufficiently secure” its online banking existed for the Bank.   On that point, the court extrapolated a duty to secure based on a bank’s general duty to refrain from disclosing its customer’s information:

A number of courts have recognized that fiduciary institutions have a common law duty to protect their members’ or customers’ confidential information against identity theft. Although this court could not find an Indiana case addressing the matter, Indiana courts have held that a bank “has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest.” If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts.

(citations omitted; emphasis added). Apparently, according to the court, the bank-defendant did not dispute the existence of a duty to protect the plaintiffs’ account from fraudulent access. However the bank did contest the plaintiffs’ allegations that the bank breached its duty and that the breach caused harm to the plaintiffs.

On that issue, the court focused on the FFIEC Report. According to the court, the FFIEC  Report indicated that single-factor identification was “inadequate” for securing online transactions of financial institutions. Moreover, a vice president of the bank admitted that the bank did not implement additional security measures beyond single factor identification until after the breach at issue. Thus, the court held that a reasonable finder of fact could potentially conclude that the bank breached its duty. Moreover, since the bank had not reimbursed the plaintiffs for their economic loss, the court ruled that a jury could find that the bank’s failure to secure caused such economic loss (as well as mental and emotional anguish).

Analysis

The Shames-Yeakel case (as well as potentially the PATCO and JMT down the line) is very interesting from a data security breach liability perspective. First, most data breach cases (typically involving suits by consumers or banks issuing credit cards) are dismissed early on for lack of damages or based on the economic loss doctrine. With online banking the damage component is clear (e.g. lost money) and since the main loss of money arguably constitutes “direct damages” (rather than purely economic damages), the economic loss doctrine may not bar an action. As such the court must rule on substantive issues such as the existence a duty to provide “reasonable security” and whether that duty was breached and caused damages. This is what happened in Shames-Yeakel.

The approach taken by Shames-Yeakel was also very interesting. In essence, the Court took a non-binding, completely voluntary “guidance” document and allowed it to serve as the standard of care for “reasonable security” in this context. This FFIEC Report was not an official “standard” and did not reflect any statutory requirements (for purposes of establishing a negligence per se theory). I am sure that the FFIEC and other bodies have put out a lot of papers (formal and informal) on various security and privacy issues, and if other courts are willing to accept these guidance documents as establishing standards (or better stated creating a question of fact for juries) then defendants of data breach cases may  face some significant liability in the future. While this particular FFIEC Report may be the appropriate benchmark in this case, I would have liked to see the court explain its rationale in more detail for converting this guidance document into the standard of care (e.g. Why this particular document? What other kinds of documents reports may establish the standard? If it was a report from a non-governmental body would it have the same weight? Must the standard reflect some sort of consensus? What opposing guidance or opinions exist, how much weight are they given in determining or discarding a particular alleged standard?, etc.)

Beyond the court’s decision to arguably elevate the importance of the FFIEC Report, it is not even clear that the report stands for the very broad proposition that single-factor authentication for online banking is inadequate. The following excerpt from the FFIEC Report summarizes the authors' views on the inadequacy of single-factor identification:

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

Note that the FFIC Report indicates that single-factor authentication may be inadequate if it is the only control mechanism or where a risk assessment indicates that the use of single-factor authentication is inadequate. The FFEIC Report then lists layered security or multi-factor authentication as potentially compensating for single-factor authentication (while I will let my security friends weigh in on this issue, as well as identify other potential compensating controls). In short, the FFEIC Report on its face seems to indicate that it is possible to utilize single-factor authentication with other controls such that risk is adequately mitigated. In contrast, the court in Shames-Yeakel stated the following: 

In [the FFEIC Report] the Council described single-factor identification (username/password) as “inadequate” to secure the online transactions of financial institutions. 

Despite overstating the conclusion of the FFIEC report, however, overall the court’s decision to deny the motion for summary judgment may be okay. It is likely that both parties have contradictory expert testimony on the issue of reasonable security. Second, some testimony existed from the bank's vice president hat appears to establish that only single-factor authentication was used by the bank (although this seems contradicted by the banks’ expert testimony that the bank employed reasonable security measures). Moreover, in general, whether single-factor authentication plus additional security adequately reduced the risk appears to be a factual question. I think the court could have come out with the same ruling without overstating the conclusions of the FFIEC report simply by accurately citing the FFIEC report, the vice president’s testimony, and indicating that both sides had contradictory opinions on the overall issue of whether the bank’s security was reasonable. 

Conclusion

The Shames-Yeakel ruling highlights potential significant difficulties for defendants if plaintiffs are able to proceed past the motion to dismiss phase in a data breach lawsuit. Despite the court’s inaccurate description of the FFIEC Report, when the question of whether security controls were adequate to reduce risk to an appropriate level is posed, it will be difficult for defendants to win on summary judgment. Like many other types of lawsuits, it will come down to a “battle of the experts”, and for these cases a “battle of the standards” (e.g. which standards should the defendant have complied with and did they comply with them). As such, for data breach defendants the pleadings phase will be where the street brawl will take place. Defendants will want to (and should) aggressively attack the early “questions of law” (e.g. does a duty exist at all, did the plaintiff suffer legally cognizable harm). If plaintiffs can get past this phase, it seems that it will be a challenge for defendants to win a motion for summary judgment and avoid the prospect of a jury trial (I think, for many data breaches, causation will be the most likely candidate for a defendant victory on summary judgment).
Tags: , , , , , , , , , ,