Sharing responsibility: Court makes it harder for banks to sue companies responsible for data breach
Posted on 03/16/2016 at 12:00 AM by John Lande
This blog previously covered a decision from the United States District Court for the District of Minnesota that concluded Target could be found liable for harm that banks suffered when customer data was compromised. This decision marked a positive development for banks who may seek reimbursement from companies that are the source of a data breach.
However, a recent decision from the United States Court of Appeals for the Third Circuit may make it harder for banks seeking reimbursement from companies. In Citizens Bank of Pennsylvania v. Reimbursement Technologies a bank sued Reimbursement Technologies (“RTI”) after a data breach. Consumers provided RTI with their financial information so that RTI could facilitate payments to healthcare providers. An employee at RTI fraudulently obtained financial information and provided it to a criminal organization. After the fraud was detected and stopped, the bank reimbursed several customer accounts. The bank ultimately lost over $390,000.
The bank sued RTI for, among other things, negligence. The bank asserted that RTI had a duty to safeguard customer information and it breached that duty in a way that caused harm to the bank. The Third Circuit dismissed the bank’s theory by explaining:
There may also be good reason for the public to hold companies like RTI liable to their customers’ patients. But the public has very little overall interest in holding companies like RTI liable to their financial institutions, particularly when those institutions are unrelated third parties that are only derivatively connected to the company suffering the breach through their clients’ clients separate business relationships. In short, even in light of the other factors weighing in favor, this is simply an insufficient rationale on which to base a duty of care.
The Court’s reasoning is odd, particularly in light of law that makes financial institutions liable to consumers for fraud losses. It is unclear why there is “little overall interest” in holding companies like RTI responsible for losses that are ultimately born by the bank.
Nevertheless, the Third Circuit’s ruling means that banks will continue to be viewed as society’s insurance providers. As the law in this area continues to develop, there will likely be an ongoing disagreement about whether other individuals and entities should share responsibility for losses resulting from fraud and cyber-attacks. Banks would do well to make sure that they have implemented best practices to protect their systems and identify fraud quickly. Finally, banks should make sure that they have adequate insurance to cover losses.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.
