Some lawsuits are frivolous, but most are not. If industry practices, the government, or some other combination of factors makes it impossible for you to avoid some kind of loss, your only recourse may be to file a lawsuit.
I was reminded of this principal recently when I learned a couple in Illinois recently sued their bank for failing to secure their account from identity thieves. The bank tried to quash the lawsuit, but an Illinois district court judge recently issued a ruling allowing it to proceed. And for once, I agree. The lawsuit is definitely not frivolous.
Here's what happened, according to the allegations in the lawsuit:
In February 2007, an intruder obtained online access to the wife's Citizens Financial banking account using her user name and password. The intruder authorized an electronic transfer of US$26,500 from the couple's line of credit to the wife's business account. Next, the intruder initiated a transfer of the funds to an Austrian bank.
When the couple realized what had happened, they contacted Citizens Financial and requested the money be returned. The bank refused and suggested that they contact the bank in Austria. But, the Austrian bank also refused to return the money.
Shortly thereafter, Citizens Financial began billing the couple pay off the line of credit. When they failed to pay, the bank reported them as delinquent to national credit reporting agencies. The bank also threatened foreclosure proceedings against their home. These threats stopped once the couple began making monthly payments to the bank for the stolen funds.
Under the circumstances, the couple felt they had no option except to file a lawsuit against the bank. Among other claims, the lawsuit alleges negligence under Illinois law. According to the lawsuit, the bank didn't use the best available technology to protect its depositors, leaving the account vulnerable to identity fraud.
This is a situation in which a legitimate account holder really can't control. It's remarkably easy for an identity thief to plant a "backdoor" program on your computer. From that point, the program records every keystroke on your PC. Periodically, it sends a report to the thief. In the couple's case, the program apparently recorded the log on information to their bank account. Once the thief had this information, initiating the US$26,500 theft was easy.
The only solution to the problem is for banks that offer online access to make it impractical for identity thieves to impersonate legitimate account holders. There are numerous technologies available to make this possible. However, unless banks are held legally accountable for these types of losses, they have little incentive to introduce this technology.
This is the model the credit card industry uses, and it works. Under federal law, if someone steals your credit card number, you're only responsible for paying the first $50 of any fraudulent purchases made on it. Credit card fraud is a problem, but the cost is borne by credit card companies—and even more, by merchants.
This illustrates an important security principle. The person or entity most able to reduce a security risk should be responsible for dealing with it. In this case, the couple had no practical way to ensure the security of their account. Only the bank had the ability to do so, and they apparently failed in this obligation.
This lawsuit has a long way to go before the situation is resolved, and the banking industry is certain to resist taking responsibility for the online services they offer. But they must do so, if only because they are the only possible solution to this type of identity theft.
(For background on this incident, click here.)
Copyright © 2009 by Mark Nestmann
Comments