Late last month an Illinois District Court ruled a bank can be sued for their failure to adopt multi-factor authentication and concluded the bank breached its duty to protect the Plaintiffs’ account against fraudulent access, and if the bank’s failure to adopt multi-factor authentication caused fraudulent access to plaintiffs’ account, it could be held liable for negligence.
In 2007, a hacker gained access to the plaintiffs’ online accounts by using the plaintiffs’ username and password. The hacker ordered a $26,500 advance on the plaintiffs’ home equity line of credit, which was transferred to a bank in Austria. When the theft was discovered and the funds traced, the Austrian bank refused to return the money.
Citizens Bank notified the plaintiffs that it intended to hold them liable for the loss. The online banking agreement between Citizens and the plaintiffs stated “We will have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice.” Citizens billed the plaintiffs for the $26,500, and when failed to pay the balance on time, Citizens reported the account as delinquent to credit bureaus, and threatened to foreclose on their home, if the plaintiffs continued to refuse to make payments.
The plaintiffs sued Citizens, claiming that the bank’s actions violated the Truth in Lending Act (15 U.S.C. § 1601, et seq.), the Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.), the Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.) and constituted common law negligence.
The Court ruled, “In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access[,]” and if the bank’s failure to adopt multi-factor authentication caused fraudulent access to plaintiffs’ account, it could be held liable for negligence.”
How does this case help technology providers that address the multi-factor authentication requirement?
Speaking only for the voice biometrics industry, the bank could have installed a speaker verification application for multi-factor authentication. The application replaces the CSR manual account authentication process, and you can read more about this process on by blog at http://glenyou.blogspot.com/2009/08/is-your-contact-center-protected-from.html . Furthermore, each phone or internet voice verification can be recorded, and saved to a file to protect the bank from future multi-factor authentication claims.
No comments:
Post a Comment