In an interesting case, a couple sued a bank because someone obtained their passwords, got into their bank accounts, took money out of a line a credit and transferred the money to an overseas bank. The bank defended against the by claiming an agreement signed by the customers waived any (future) claims against the bank.
The customers alleged that the bank was negligent in failing to promptly implement security measures on their on-line access. Admittedly the bank was slow to implement the changes, but the bank claimed that it didn't matter since the customers had already waived any claims against the bank. The agreement stated to customers that it would “have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice.” The court viewed the case as a case where the written waiver didn't necessary exclude a claim for negligence.
Usually the court will narrowly construe waivers, and apply them to the facts. If the conduct complained about is not specifically included in the waiver, the waiver will not exclude the claim.
TheThreat Level Blog reported on this unusual case as follows (Excerpts):
Court Allows Woman to Sue Bank for Lax Security After $26,000 Stolen by Hacker
By Kim Zetter September 4, 2009
As initially reported by legal blogger, David Johnson, Marsha and Michael Shames-Yeakel sued Citizens Financial Bank in 2007 in the northern district of Illinois on several grounds, including a claim that the bank failed to provide state-of-the-art security measures to protect their account.
U.S. District Judge Rebecca Pallmeyer refused last week to grant a summary judgment in favor of Citizens Financial, stating in her ruling that “assuming that Citizens employed inadequate security measures, a reasonable finder of fact could conclude that the insufficient security caused Plaintiffs’ economic loss.”
The couple, who run a home-based bookkeeping, accounting and computer programming business, have been customers of Citizens Financial, which is based in Illinois, for 30 years. They maintained personal and business checking accounts with the bank as well as a $30,000 home equity line of credit, which was linked to the business checking account.
In February 2007, someone with a different IP address than the couple gained access to Marsha Shames-Yeakel’s online banking account using her user name and password and initiated an electronic transfer of $26,500 from the couple’s home equity line of credit to her business account. The money was then transferred through a bank in Hawaii to a bank in Austria.
The Austrian bank refused to return the money, and Citizens Financial insisted that the couple be liable for the funds and began billing them for it. When they refused to pay, the bank reported them as delinquent to the national credit reporting agencies and threatened to foreclose on their home.
The couple sued the bank, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, claiming, among other things, that the bank reported them as delinquent to credit reporting agencies without telling the agencies that the debt in question was under dispute and was the result of a third-party theft. The couple wrote 19 letters disputing the debt, but began making monthly payments to the bank for the stolen funds in late 2007 following the bank’s foreclosure threats.
In addition to these claims, the plaintiffs also accused the bank of negligence under state law.
Judge Pallmeyer, however, was not convinced. She found court precedents showing that financial institutions have a common law duty to protect their customers’ confidential information against identity theft. Specifically, Indiana courts — where the Shames-Yeakels live — have held that a bank “has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest.” The judge therefore concluded in part that, “If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts.”
This is a classic example of the tension between negligence causing a loss, and a contract excluding liability. For any business, the key is to have a clear agreement that covers the intended claim. For the individual, the key is to understand what you are agreeing to when you sign an agreement. One curious thing is that the opinion says that the Plaintiff had been doing business with that bank for 30 years, yet the bank treated them very poorly. That, was a bad business decision. I wonder how much future business they will lose because of their inability to resolve this problem with a long time customer.