Last month, we posted an amusing discussion (and comedy act) concerning whether or not "identify theft" was really a crime, or if it was really a bank robbery
where the bank was passing off the liability for its poor authentication system onto the bank customer. Apparently, just such an argument is already playing out in the courts. Steven Hoy
alerts us to a story of a couple who are suing their bank
, after someone masquerading as them accessed their account and transferred $26,000 to Austria. The details of the case
are a bit complex, but basically, the couple claims that the bank did not live up to basic standards in authentication, and cite the Federal Financial Institutions Examination Council's claim that notes that "single-factor authentication is inadequate and calls on banks to implement two-factor systems." Thus, the argument goes, the fault was the bank's security, and thus, the bank should be liable. The judge found that to be convincing:
"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access.... If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."
Chalk one up for those who believe "identity theft" is actually a "bank robbery."