Summary
finding that, under Indiana law, a bank "has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest" and so "must certainly employ sufficient security measures to protect their customers' online accounts"
Summary of this case from USAA Fed. Sav. Bank v. PLS Fin. Servs., Inc.Opinion
Case No: 07 C 5387.
August 21, 2009.
David M. Marco, Larry Paul Smith, Larry P. Smith Associates Ltd., Chicago, IL, Geoffrey H. Baskerville, John Soumilas, Francis Mailman, PC, Philadelphia, PA, for Plaintiffs.
Alan R. Lipton, Timothy Allen Hickey, Evan D. Brown, Hinshaw Culbertson, Chicago, IL, for Defendant.
MEMORANDUM OPINION AND ORDER
Defendant Citizens Financial Bank is a federally insured savings bank with branch locations in northwest Indiana and the Chicago area. Plaintiffs Marsha and Michael Shames-Yeakel were customers of Citizens who fell victim to identity theft when an unknown person gained access to their online account and stole $26,500 from a home equity credit line. When Plaintiffs refused to pay Citizens for the loss, the bank reported their account as delinquent to the national credit bureaus and threatened to foreclose on Plaintiffs' residence. In response, Plaintiffs brought this action, alleging violations of the Truth in Lending Act ("TILA"), the Electronic Funds Transfer Act ("EFTA"), the Fair Credit Reporting Act ("FCRA"), and the Indiana Uniform Consumer Credit Code ("IUCCC"), as well as negligence and breach of contract, seeking actual and punitive damages. Shortly after Defendant moved for summary judgment, Plaintiffs voluntarily dismissed their IUCCC and breach of contract claims (Counts IV and VI), leaving four counts for consideration in this motion for summary judgment. For the reasons stated below, the motion is granted in part and denied in part. Summary judgment is granted with respect to the EFTA claim (Count II), granted in part on the FCRA and negligence claims (Counts III and V), and otherwise denied.
FACTUAL BACKGROUND
I. Plaintiffs' Relationship with Citizens
Plaintiffs are a married couple who reside in Crown Point, Indiana. (Marsha Shames-Yeakel Dep. [hereinafter "Marsha Dep."] at 5, Ex. 1 to Citizens' Statement of Facts Pursuant to LR 56.1 [hereinafter "Def.'s 56.1"].) Since 2005, Plaintiff Marsha Shames-Yeakel has operated "Best Practices," an accounting and bookkeeping business, from her home. (Def.'s 56.1 ¶¶ 1-2; Marsha Dep. at 5.) Plaintiff Michael Shames-Yeakel also works under the Best Practices name, offering his services to various companies as a project manager and computer programmer. (Def.'s 56.1 ¶ 4.) Best Practices owned a business checking account with Citizens, distinct from Plaintiffs' personal accounts with the bank. (Plaintiffs' Response to Def.'s Statement of Facts Pursuant to LR 56.1 and Statement of Additional Facts [hereinafter "Pls.' 56.1"] ¶ 3.)In April 2003, Plaintiffs opened a $50,000 home equity line of credit from Citizens. (Def.'s 56.1 ¶ 6; Pls.' 56.1 ¶ 6.) The parties agree that Plaintiffs took four advances on the credit line, although they disagree about whether the purchases were primarily personal or commercial in nature. (Def.'s 56.1 ¶ 7; Pls.' 56.1 ¶ 7.) Plaintiffs used the first advance to make a down payment on a loft in Chicago. (Marsha Dep. at 28: 4-5.) Ms. Shames-Yeakel referred to the loft as an "investment" in her deposition ( id.), but she explained that she owns the loft jointly with her son, who uses the loft as his personal residence, and that the property constitutes an investment only insofar as Plaintiffs hope to sell it for a profit when their son ultimately moves out of it. ( Id. at 28: 15-17; Marsha Decl. ¶¶ 3-7, Ex. 1 to Pls.' Resp.) With the second advance, Plaintiffs paid off the balance they owed on their two cars, one primarily used by Ms. Shames-Yeakel and one by Mr. Shames-Yeakel. (Def.'s 56.1 ¶¶ 7-8; Michael Shames-Yeakel Dep. [hereinafter "Michael Dep."] at 29-30, Ex. 2 to Def.'s 56.1.) Defendant contends that Plaintiffs used the vehicles for Best Practices business (Def.'s 56.1 ¶ 7-8), but Plaintiffs respond that they purchased the cars before Ms. Shames-Yeakel formed Best Practices, and that Plaintiffs at all times continued to use the vehicles for personal purposes, merely taking tax deductions for certain mileage attributable to business travel. (Pls.' 56.1 ¶ 7-8; Michael Dep. at 31: 5-6.) Neither party offers evidence about the proportion of personal versus business mileage on the cars. Plaintiffs used their third credit advance to pay for a new roof for their personal residence, which includes a home office for Best Practices. (Def.'s 56.1 ¶ 7.) And finally, Plaintiffs used funds from a fourth advance to purchase a car for their daughter. ( Id.) In 2006, Plaintiffs "linked" the credit line to their Best Practices business checking account, enabling them to transfer funds online between the accounts. ( Id. ¶ 9, 11.) Plaintiffs used this feature primarily to make payments on the home equity credit line from their business checking account. ( Id. ¶ 11.)
Neither side mentions the dollar amounts of these advances.
Although the record is not completely clear which advance was used toward Mr. Shames-Yeakel's car, his deposition testimony suggests that Plaintiffs used a single advance to "pay off the balance" on both of Plaintiffs' vehicles. (Michael Dep. at 29-30.)
II. The Disputed Transactions
Unfortunately, the history of Plaintiffs' home equity credit line does not end there. On February 13, 2007, an unknown person with an IP address different from that of Plaintiffs gained access to Plaintiffs' online Citizens accounts by using Ms. Shames-Yeakel's username and password. (Def.'s 56.1 ¶ 20; Pls.' 56.1 ¶ 20.) This person ordered a $26,500 advance on Plaintiffs' home equity credit line and initially deposited that amount into Plaintiffs' business checking account. (Def.'s 56.1 ¶ 21.) From there, the thief wired the funds to a bank in Hawaii, and from Hawaii to a bank in Austria. ( Id.) Ten days later, Plaintiffs called Citizens to report the unauthorized transfer, but it was too late. ( Id. ¶ 22.) Citizens contacted the Hawaiian bank, and the Hawaiian bank in turn contacted the Austrian bank, but the Austrian bank ultimately refused to return the funds. (Milne Dep. at 39, Ex. 6 to Def.'s 56.1.) A Citizens investigation revealed that the account in Hawaii that had received the stolen funds was held in the name of "JV Financial." (Def.'s 56.1 ¶ 28.) Deborah Milne, a vice president of Citizens, tried but failed to contact JV Financial directly. ( Id. ¶ 29.) Another Citizens vice president, Rebecca Rees, supervised a subsequent investigation into the theft. ( Id. ¶ 32.) After analyzing the available data, Rees identified the specific IP address from which the thief had ordered the transfer. ( Id.) An activity report produced by the online banking system showed that the person had logged on using Ms. Shames-Yeakel's username and password. ( Id. ¶ 24.) An expert retained by Citizens testified that in his opinion, the bank's investigation was "reasonable and conducted properly." ( Id. ¶ 33.)
Although they note that both the unknown user and Plaintiffs used Comcast Internet accounts (Def.'s 56.1 ¶ 32), Citizens does not make any plausible argument that Plaintiffs initiated the disputed transfer. In addition to the unfamiliar IP address, an expert examined the Shames-Yeakels' computers pursuant to a consent order of this court and found no evidence that Plaintiffs were involved in the disputed transactions. (Pls.' 56.1 ¶ 75; Modzelewski Report, Ex. 19 to Pls.' Resp.)
The expert report does not cite any particular standard by which the investigation was determined to be "proper." (Tedrick Report, Ex. 8 to Def.'s 56.1.)
Once Milne determined that Citizens would not be able to retrieve Plaintiffs' funds, the bank sent Plaintiffs a letter notifying them that the bank intended to hold them liable for the loss, presumably pursuant to the terms of plaintiffs' online banking agreement ( Id. ¶ 30.) Specifically, the "Business Online Banking Application" form that Plaintiffs completed required them to agree to associated terms and conditions. ( Id. ¶¶ 12, 16; Citizens Business Online Banking Application, Attach. 1 to Ex. 3 to Def.'s 56.1.) Among those terms and conditions was a disclaimer stating, "We will have no liability to you for any unauthorized payment or transfer including wire transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice." (Citizens Business Online Banking Internet Banking Agreement at 8, Attach. 2 to Ex. 3 to Def.'s 56.1.) Neither side offers evidence of how, if at all, Citizens' online banking for businesses differed from its online access for personal accounts.
The Office of Thrift Supervision ("OTS"), a federal agency within the Department of the Treasury, also reviewed the dispute between Citizens and the Shames-Yeakels, at the request of Ms. Shames-Yeakel. (Def.'s 56.1 ¶ 41; Letter from Ozburn to Shames-Yeakel of July 27, 2007, Attach. 5 to Ex. 3 to Def.'s 56.1.) On July 27, 2007, the agency issued a letter to Plaintiffs opining that neither the Truth in Lending Act nor the Electronic Funds Transfer Act governed their situation and concluding that the agency therefore had no regulatory objection to Citizens holding them liable. (Letter from Ozburn to Shames-Yeakel of July 27, 2007.)
In relevant part, the letter read as follows:
Regulation E which implements the Electronic Funds Transfer Act applies only to specific bank accounts that are defined in the regulation. An account under Regulation E Section 205.2(b)(1) is defined as a "demand deposit (checking), savings, or other consumer asset account held directly or indirectly by financial institution and established primarily for personal, family or household purposes." A home equity line of credit account is not an account as defined in Regulation E, as it is not an asset account, but is a credit account. Also, it is worth noting that Regulation E does not apply to business accounts. Additionally, in defining an electronic funds transfer under Regulation E, wires are specifically excluded, as per Section 205.3(c)(3). For these reasons Regulation E does not apply to your situation.
Regulation Z which implements the Truth in Lending Act, covers extensions of credit when the credit is primarily for personal, family or household purposes (Section 226.2(c)(1).) Originally, when you applied for your home equity line of credit it may have been for personal purposes. However on June 12, 2006, you signed an agreement with the institution linking all of your accounts with your business account. . . . Thereafter, the home equity line of credit was used as a business purpose account, as opposed to being for personal, family or household purposes. For this reason Regulation Z does not apply to your situation.
(Letter from Ozburn to Shames-Yeakel of July 27, 2007 at 2.)
Plaintiffs made several complaints to Citizens after the bank began billing Plaintiffs for the $26,500, but to no avail. (Pls.' 56.1 ¶ 60.) Citizens' loan management department merely confirmed as accurate the amount shown in the account's balance. (Stur Dep. 53-56, Ex. 4 to Pls.' Resp.) When Plaintiffs failed to make full payments on the balance, Citizens began reporting the account as delinquent to national credit bureaus. (Def.'s 56. ¶ 35.) In response, Plaintiffs filed at least 19 "credit reporting disputes" with credit bureaus, which were passed along to Citizens for investigation pursuant to the Fair Credit Reporting Act. (Pls.' 56.1 ¶ 61; Ex. 14 to Pls.' Resp.) Plaintiffs assert that the bank failed to perform any investigations in response to the credit reporting disputes (Pls.' 56.1 ¶ 61), although they do not contest that Defendant responded to every dispute and in addition wrote two letters to Plaintiffs about the issue. (Def.'s ¶¶ 38-39.) Apparently, the bank in all cases verified the accuracy of the account's balance but refused to reconsider its decision to hold Plaintiffs liable. (Pls.' 56.1 ¶ 61; Def.'s 56.1 ¶¶ 38, 40.) According to credit history reports produced by Plaintiffs, the delinquencies reported by Citizens are the only late payments in either Plaintiff's credit history. (Ex. 15 to Pls.' Resp.) The parties fail to address whether Citizens advised the credit bureaus that the debt was contested, but neither of Plaintiffs' credit histories (both from Experian) note the disputed nature of the debt. ( Id.) Beyond reporting Plaintiffs to the credit bureaus, Citizens in August 2007 sent Plaintiffs a "Notice of Default and Right to Cure" letter, threatening to foreclose on Plaintiffs' home should they continue to refuse to make payments on the account. (Letter from Johanson to Shames-Yeakel of Aug. 28, 2007, Ex. 17 to Pls.' Resp.) Thereafter, Plaintiffs began making payments under protest. (Pls.' 56.1 ¶ 72; Letter from Shames-Yeakel to Johanson of Mar. 1, 2008, Ex. 18 to Pls.' Resp.)
According to the Amended Complaint, Plaintiffs wrote Citizens a check for the full $11,356.83 of debt that predated the theft but refused to make payments on the remaining balance. (Am. Compl. ¶¶ 23-24.)
III. Citizens' Security Measures
Because Plaintiffs have alleged a state law claim of negligence, the bank's security practices are also relevant to this case. Citizens contracts with a third party named Fiserv to provide its online banking services. (Def.'s 56.1 ¶ 14.) As part of this relationship, Fiserv provides "information security services" intended to keep information such as online login credentials secure. ( Id.) Defendant claims, and Plaintiffs do not dispute, that Fiserv has a reputation in the banking industry for providing high-quality services. ( Id.) In addition to security services provided by Fiserv, Citizens requires all online banking customers to use passwords of their own creation. ( Id. ¶ 15.) It also restricts access to its online banking system to those employees who have a business need to access the system. ( Id.) An information security expert retained by Citizens opined that the bank's security measures "were reasonable and not the cause of the unauthorized transfer." (Scholl Report, Ex. 8 to Def.'s 56.1.)
Throughout Plaintiffs' Rule 56.1 response to Defendant's statement of facts, Plaintiffs have responded to certain paragraphs by stating "Admitted" and then offering a truncated version of Defendant's factual assertion, thereby possibly suggesting that they admit to only part of the assertion. For instance, in response to the paragraph cited here, Plaintiffs wrote, "Admitted. It is admitted the Defendant uses the services of Fiserv," thus perhaps suggesting that Plaintiffs do not admit that "Fiserv is highly regarded in the banking industry," as the paragraph also asserts. (Def.'s 56.1 ¶ 14.) Under Local Rule 56.1(b)(3)(C), "All material facts set forth in the statement required of the moving party will be deemed to be admitted unless controverted by the statement of the opposing party." Accordingly, this court deems admitted all facts set forth in Defendant's 56.1 statement except those directly controverted by Plaintiffs' responses.
Plaintiffs criticize both Scholl's credentials and his familiarity with the security procedures at issue, noting that his only degree is in marketing and also that Scholl never conducted a first-hand review of Fiserv's system. (Pls.' 56.1 ¶ 51.)
Plaintiffs do not dispute these facts, but they nevertheless argue that Citizens' online banking security lagged behind industry standards. Specifically, Plaintiffs claim that Citizens failed to guard access to Plaintiff's account with adequate security features at the time of the theft. (Pls.' 56.1 ¶¶ 47-49.) Citizens protected access to Plaintiffs' online accounts simply by means of a user name and password, or "single-factor identification." (Milne Dep. at 88-89, 90:16-20, Ex. 8 to Pls.' Resp.) In contrast, "multifactor identification" checks against multiple data points, beyond user ID and password, to verify the identity of users attempting to log on to a system, thereby adding an additional layer of security. (Scholl Dep. at 35-36, Ex. 6 to Pls.' 56.1.) Plaintiffs argue that Defendant should have provided them with a security feature known as a "token." (Pls.' 56.1 ¶ 49.) Mark Scholl, Citizens' own expert, explained that a token is an object possessed by a user, either as a digital object saved to the user's computer or as a physical device carried by the user. (Scholl Dep. at 38-39.) Tokens can provide additional security in various ways, for instance by generating ever-changing pass codes or by identifying a user's specific computer to the bank's website. ( Id.) At the time of the unauthorized access to Plaintiffs' account, Citizens was in the process of issuing physical tokens to its users, in the form of small devices that would fit on a key chain and were to generate ever-changing eight-digit pass codes. (Milne Dep. at 88.) Once in possession of a token, the bank's customers were to log on to Citizens' online banking system using the token-generated number in addition to a PIN and username the user had established. ( Id. at 87-88.)
According to Scholl, digital tokens commonly work by registering specific computers with a bank's website in order to track whether a computer has logged on recently; if a computer that has not recently logged on attempts to access the website, the site will ask the user one or more "challenge questions" before allowing the user to proceed. (Scholl Dep. 38-40.)
To support their contention that Citizens should have had such security measures in place at an earlier date, Plaintiffs cite a 2005 document entitled "Authentication in an Internet Banking Environment" authored by the Federal Financial Institutions Examination Council ("FFIEC"). (Pls.' 56.1 ¶ 47.) The FFIEC is an interagency body that advises a number of federal agencies on appropriate standards for the regulation of financial institutions. See generally About the FFIEC,http://www.ffiec.gov/about.htm. The "Authentication" document issued by the Council discusses a number of security measures, including tokens, available to banks that offer online banking services. FFIEC, AUTHENTICATION IN AN INTERNET BANKING ENVIRONMENT [hereinafter "FFIEC Report"] 2, 7-14 (2005), http://www.ffiec.gov/pdf/authentication_guidance.pdf. Notably, although the report "does not endorse any particular technology," it states,
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. . . . Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.Id. at 1. This guidance "applies to both retail and commercial customers." Id.
For a copy of the press release that accompanied the report, see http://www.ffiec.gov/press/pr101205.htm.
In addition, Plaintiffs note that Citizens received a security report from Fiserv in February 2007 that highlighted a number of "security vulnerabilities and exploits" that had appeared on the Internet over the past month, including a password stealing program. (Pls.' 56.1 ¶ 52; Fiserv Feb. 2007 Information Security Report, Ex. 7 to Pls.' Resp.) Defendant asserts that Citizens never notified Plaintiffs of any of these dangers. (Pls.' 56.1 ¶ 52.)
DISCUSSION
A. Summary Judgment Standard
Summary judgment is proper when "the pleadings, the discovery and disclosure materials on file, and any affidavits show that there is no genuine issue as to any material fact and that the movant is entitled to judgment as a matter of law." FED. R. CIV. P. 56(c); see also Celotex Corp. v. Catrett, 477 U.S. 317, 322-23, 106 S. Ct. 2548, 91 L. Ed. 2d 265 (1986). In determining whether a genuine issue of material fact exists, the court construes "all facts and reasonable inferences in the light most favorable to the non-moving party." Westra v. Credit Control of Pinellas, 409 F.3d 825, 827 (7th Cir. 2005).
B. Truth in Lending Act
Plaintiffs allege that Citizens violated various provisions of the Truth in Lending Act ("TILA"), 15 U.S.C. § 1601 et. seq., when the bank attempted to bill them for and charge interest upon the disputed credit transaction. (Am Comp. ¶ 39.) Notably, the TILA limits "cardholder" liability on "the unauthorized use of a credit card" to fifty dollars. § 1643. In this motion for summary judgment, Citizens makes no argument about the merits of Plaintiffs' TILA claims, but rather argues that the TILA does not apply to the transaction at issue because it was not a "consumer" transaction. According to the TILA,
The statute defines "credit card" broadly as "any card, plate, coupon book or other credit device existing for the purpose of obtaining money, property, labor, or services on credit." 15 U.S.C. § 1602(k); see also United States v. Bice-Bey, 701 F.2d 1086, 1092 (4th Cir. 1983) (holding that fraudulent use of credit card account numbers qualified as fraudulent use of a "credit card" within the TILA); Munoz v. Seventh Ave., Inc., No. 04 C 2219, 2004 WL 1593906, at *2-4 (N.D. Ill. July 15, 2004) (order form in a catalogue, which offered a "pre-approved" credit line for purchases, qualified as a "credit card"). It is also worth noting that the TILA exempts from coverage credit transactions in excess of $25,000, except "those in which a security interest is or will be acquired in real property," meaning that the transaction at issue here is not specifically exempted. § 1603(3). As neither side addresses the issue here, the court declines to comment on whether Plaintiffs' home equity credit line constituted a "credit card."
The adjective `consumer', used with reference to a credit transaction, characterizes the transaction as one in which the party to whom credit is offered or extended is a natural person, and the money, property, or services which are the subject of the transaction are primarily for personal, family, or household purposes.
§ 1602(h). The statute exempts from coverage "[c]redit transactions involving extensions of credit primarily for business, commercial, or agricultural purposes. . . ." § 1603(1). Because the TILA is a remedial statute primarily intended to protect consumers, courts conducting a TILA analysis look to "the substance rather than the form" of the relevant transactions. Cole v. U.S. Capital, Inc., 389 F.3d 719, 727 (7th Cir. 2004) (FCRA case) (quoting Clark v. Rent-It-Corp., 685 F.2d 245, 248 (8th Cir. 1982) (TILA case)). In determining whether a particular transaction had a primarily consumer or business nature within the meaning of the TILA, courts look to "the entire surrounding factual circumstances." Cobb v. Monarch Fin. Corp., 913 F. Supp. 1164, 1174 (N.D. Ill. 1995) (quoting Tower v. Moss, 625 F.2d 1161, 1166 n. 4 (5th Cir. 1980)) (improvements to a rented house were a consumer transaction, where the plaintiff had lived in the house for a substantial period of time, intended to live there again, and was leasing the house in the interim for only "nominal rent"). The object of a credit transaction generally controls this inquiry, as opposed to the property on which the lender retains a security interest. See, e.g., Sherrill v. Verde Capital Corp., 719 F.2d 364, 366-68 (11th Cir. 1983) (per curiam) (loan to raise business capital, secured by plaintiffs' personal residence, represented an exempted business loan).
Looking to the substance of the transactions on Plaintiffs' home equity line of credit, Plaintiffs have produced sufficient evidence that the account was held for "consumer" purposes. Indeed, Plaintiffs' use of their home equity line of credit appears overwhelmingly personal in nature. For example, their loft serves as their son's personal residence, and Citizens points to no evidence that Plaintiffs have ever attempted to produce income with the loft or otherwise used it for any business purpose. As a transaction that seems to have primarily benefited Plaintiffs' son, a reasonable finder of fact could certainly conclude that the purchase had a primarily "family . . . purpose[]." 15 U.S.C. § 1602(h); cf. also Tower, 625 F.2d at 1166-67. As for Plaintiffs' cars, they may use the vehicles for business as well as personal reasons and admittedly take deductions for their business mileage, but nothing in the record suggests they use the cars "primarily for business" purposes. § 1603(1). (Pls.' 56.1 ¶ 7-8; Michael Dep. at 31: 5-6.) Likewise, re-roofing one's personal residence, even if the house happens to contain a home office, seems likely to qualify as primarily "household" rather than "business" in nature. Compare § 1602(h) with § 1603(1). Citizens produces no evidence that the new roof somehow benefitted Plaintiffs' office more than the personal portion of their residence. And finally, Citizens admits that Plaintiffs' purchase of a car for their daughter was "purely personal" in nature. (Def.'s 56.1 ¶ 7.) Thus, even disregarding the fact that Plaintiffs' line of credit was secured by their personal residence, the record contains ample evidence to support a finding that Plaintiffs used their home equity line of credit "primarily for personal, family, or household purposes." § 1602(h). The court respectfully disagrees with the suggestion in a letter from OTS staff that Plaintiffs' "linking" of their credit line to their business checking account changes the analysis. This "linking" does not transform the credit line into a business account, especially considering that Plaintiffs used the linking feature primarily to pay down the credit line with funds from their business. (Def.'s 56.1 ¶ 11.) Nothing in the record suggests that Plaintiffs used the credit line secured by their home to raise capital for the Best Practices business. To hold that a mere "linking" between accounts transformed consumer credit into business credit would be to elevate form over substance. Cf. Cole, 389 F.3d at 727. Accordingly, summary judgment is denied on Count I of the Amended Complaint.
Defendant also argues that Plaintiffs should be estopped from "repudiat[ing] the linking" because Plaintiffs "benefited from having the line of credit linked." (Def.'s Mem. at 5.) This argument is misplaced; Plaintiffs do not seek to repudiate the linking agreement but merely question its relevance to the issue at hand.
C. Fair Credit Reporting Act
Plaintiffs also claim that Citizens violated the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et. seq., by reporting their home equity line of credit as delinquent to the credit bureaus despite numerous disputes filed by Plaintiffs.
1. Citizens' Duties under § 1681s-2(b)
In addition to imposing duties on credit reporting agencies, the FCRA imposes requirements on "furnishers of information" such as Citizens. § 1681s-2. Plaintiffs base their FCRA claim on § 1681s-2(b), which sets forth the "[d]uties of furnishers of information upon notice of dispute." When a consumer files a dispute with a credit bureau, the credit bureau must notify the furnisher of the dispute. § 1681i(a)(2). Upon notice of a dispute, § 1681s-2(b)(1) requires that the furnisher:
(A) conduct an investigation with respect to the disputed information;
(B) review all relevant information provided by the consumer reporting agency pursuant to section 1681i(a)(2) of this title;
(C) report the results of the investigation to the consumer reporting agency;
(D) if the investigation finds that the information is incomplete or inaccurate, report those results to all other consumer reporting agencies to which the person furnished the information and that compile and maintain files on consumers on a nationwide basis; and
(E) if an item of information disputed by a consumer is found to be inaccurate or incomplete or cannot be verified after any reinvestigation under paragraph (1), for purposes of reporting to a consumer reporting agency only, as appropriate, based on the results of the reinvestigation promptly —
(i) modify that item of information;
(ii) delete that item of information; or
(iii) permanently block the reporting of that item of information.
Case law has further examined the extent to which furnishers of information must investigate disputes and correct "incomplete or inaccurate" information under § 1681s-2(b). Courts have generally concluded that the FCRA requires "reasonable" investigation and review, given the circumstances. E.g., Scheel-Baggs v. Bank of Am., 575 F. Supp. 2d 1031, 1039 (W.D. Wis. 2008); Westra, 409 F.3d at 827 (7th Cir. 2005) (assuming without elaboration that § 1681s-2(b) requires "reasonable" investigation). The reasonableness of a § 1681s-2(b) investigation is generally a question for the jury. Hinton v. USA Funds, No. 03 C 2311, 2005 WL 730963, at *5 (N.D. Ill. Mar. 30, 2005) (collecting cases). In Westra, a consumer filed a credit dispute after an identity thief fraudulently opened several accounts in his name. 409 F.3d at 826. The dispute received by the defendant furnisher of information merely alleged that "the account did not belong to" the plaintiff; it did not mention identity theft as the cause. Id. at 827. In light of this "scant information," the Seventh Circuit held that the defendant had as a matter of law satisfied its duty to investigate when it simply confirmed the consumer's name, address, and date of birth; the court acknowledged, however, that a more thorough investigation might be required, had the defendant received notice that the "nature of the dispute concerned fraud." Id.
Other cases have held that credit reports are "incomplete or inaccurate" within the meaning of the FCRA not only when "patently incorrect" but also when "`misleading in such a way and to such an extent that it can be expected to have an adverse' effect" on the consumer. Dalton v. Capital Associated Indus., Inc., 257 F.3d 409, 415 (4th Cir. 2001) (quoting Sepulvado v. CSC Credit Servs., Inc., 158 F.3d 890, 895 (5th Cir. 1998)). For instance, where a consumer has presented a lender with a colorable argument against liability, failure to note the dispute in any credit report may be "misleading" and therefore "incomplete or inaccurate" within the meaning of § 1681s-2(b). Gorman v. Wolpoff Abramson, LLP, 552 F.3d 1008, 1023-24 (9th Cir. 2009); Saunders, 526 F.3d 142, 149-150 (4th Cir. 2008). In Saunders, the Fourth Circuit upheld a jury verdict against a furnisher of credit information for violating the FCRA. Id. The defendant had demanded payment for late fees incurred when it neglected to bill the plaintiff consumer and had subsequently failed to acknowledge the contested nature of the debt when responding to a credit dispute filed by the consumer. Id. at 145-46.
The majority of cases employing this standard, including Dalton, address credit bureaus' duty to report accurately under § 1681e(b), but the standard is analogous to the standard of accuracy under § 1681s-2(b). Saunders v. Branch Banking and Trust Co., 526 F.3d 142, 148 n. 3 (4th Cir. 2008).
To support its holding, the Saunders court noted that § 1681s-2(a)(3) imposes a duty to report consumer disputes. 526 F.3d at 149. This duty to report disputes informs the scope of the § 1681s-2(b) duty to investigate, because of the interplay between §§ 1681s-2(a) and (b). Saunders, 526 F.3d at 149. Distinguishing between the two subsections is important, because private liability is barred under § 1681s-2(a) but not under § 1681s-2(b). See § 1681s-2(c)(1). Subsection (a) imposes a number of requirements relating to the furnisher's duty to report accurate information, while subsection (b) briefly explains how a consumer dispute triggers the furnisher's duty to investigate its original report for completeness and accuracy. If a furnisher has a duty to report information under the subsection (a) standard, that information must also be covered by the subsection (b) duty to investigate and correct "incomplete or inaccurate" information. Saunders, 526 F.3d at 149-50. The Fourth Circuit explained, "No court has ever suggested that a furnisher can excuse its failure to identify an inaccuracy when reporting pursuant to § 1681s-2(b) by arguing that it should have already reported the information accurately under § 1681s-2(a)." Id. (emphasis in original). Although not mentioned by the parties, another subsection (a) reporting duty is also relevant to this dispute: § 1681s-2(a)(6)(B) prohibits furnishers of credit information, after receiving an "identity theft report," from furnishing information based on the alleged identity theft unless the furnisher "knows or is informed by the consumer that the information is correct."
The provision, entitled "Duty to provide notice of dispute," reads in full:
If the completeness or accuracy of any information furnished by any person to any consumer reporting agency is disputed to such person by a consumer, the person may not furnish the information to any consumer reporting agency without notice that such information is disputed by the consumer.
§ 1681s-2(a)(3).
Here, the record contains sufficient evidence to support a finding that Citizens violated the FCRA by reporting a debt arising from a theft but failing to note the disputed nature of that debt. As discussed above, Plaintiffs have a colorable argument that the TILA limited their liability for the stolen funds. If this is so, then a report from the bank that Plaintiffs owed the money could certainly qualify as "inaccurate," such that Citizens had a duty to modify, delete, or block the information from its credit reports. § 1681s-2(b)(1)(E). Furthermore, even if Plaintiffs' TILA claim ultimately fails, Citizens knew that Plaintiffs contested the debt and therefore may have had a duty to report the disputed nature of the debt. See 526 F.3d at 149-150. Plaintiffs' credit history suggests that Citizens' reports did not note any such information. (Ex. 15 to Pls.' Resp.) If it did not, a reasonable finder of fact could conclude that failure to report such important details was "misleading in such a way and to such an extent that it [could have been] expected to have an adverse effect" on Plaintiffs. Dalton, 257 F.3d at 415 (internal quotation omitted).
Plaintiffs' alternative argument-that Citizens failed to complete reasonable factual investigations of their numerous credit reporting disputes-is less persuasive. See § 1681s-2(a)(8)(F)(i)(II) (instructing that a furnisher has no duty to reinvestigate disputes that are "substantially the same as a dispute previously submitted by or for the consumer"). Westra, cited by Plaintiffs, is not relevant, because this is not a case in which more thorough factual investigation could have turned up facts that might have altered the bank's decision. See 409 F.3d at 827. Rather, the undisputed evidence establishes that Citizens knew that fraud gave rise to the transaction at issue, realized that Plaintiffs contested liability for the debt, and nevertheless made a deliberate decision to report Plaintiffs as delinquent. (Def.'s 56.1 ¶¶ 20-40.) The genuine FCRA issue lies not in the reasonableness of Citizens' factual investigation but rather in the reasonableness of its ultimate decision to report Plaintiffs' credit account as delinquent without acknowledging the disputed nature of their debt.
2. Liability Under § 1681n and § 1681o
Plaintiffs argue that as a result of Citizens' violations of § 1681s-2(b), Citizens is liable under § 1681n or § 1681o. (Am. Compl. ¶ 46.) § 1681n defines liability for "willful noncompliance" with FCRA duties, while § 1681o defines liability for "negligent noncompliance." Both sections provide for actual damages between $100 and $1000, as well as reasonable attorney's fees, but in the case of "willful noncompliance," § 1681n(a)(2) also permits "such amount of punitive damages as the court may allow." As Plaintiffs note, the Supreme Court recently held that "willful noncompliance" with the FCRA includes not only "acts known to violate the Act" but also "reckless disregard of statutory duty." Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 57 (2007). Given Citizens' duties under § 1681s-2 discussed above, a reasonable finder of fact could conclude that the bank acted with "reckless disregard" for its statutory duties. Id. Indeed, the Saunders court upheld a jury award of punitive damages under § 1681n for a defendant's failure to report an ongoing dispute over the debt at issue. 526 F.3d at 150-51. Citizens makes no argument that § 1681n would not apply, assuming that the bank violated § 1681s-2(b). (Mem. in Supp. of Def.'s Mot. for Summ. J. [hereinafter "Def.'s Mem."] at 7-10; Citizens' Reply in Support of Mot. for Summ. J. [hereinafter "Def.'s Reply"] at 1-3.)
In fact, the Saunders jury verdict occurred pre- Safeco and thus involved a stricter understanding of willful noncompliance (as "knowing and intentional") than in this case. 526 F.3d at 151.
Accordingly, summary judgment on the FCRA claim is granted only as to whether Citizens conducted a reasonable factual investigation. Disputes of fact remain that preclude summary judgment on Plaintiffs' claim that Citizens' decision to report their debt and its manner of reporting violated the FCRA, either willfully or negligently.
D. Electronic Funds Transfer Act
Plaintiffs also claim that Defendant violated various provisions of the Electronic Funds Transfer Act ("EFTA"), 15 U.S.C. § 1693 et seq. (Am. Compl. 42.) By its plain language, however, EFTA does not apply to either of Plaintiffs' accounts involved in the disputed transaction. The EFTA governs "electronic fund transfer[s]" that "authorize a financial institution to debit or credit an account." § 1693a(6). The EFTA in turn defines an "account" as a "demand deposit, savings deposit, or other asset account (other than an occasional or incidental credit balance in an open end credit plan as defined in section 1602(i) of this title) . . . established primarily for personal, family, or household purposes." § 1693a(2). Section 1602(i) defines an open end credit plan as a "plan under which the creditor reasonably contemplates repeated transactions, which prescribes the terms of such transactions, and which provides for a finance charge which may be computed from time to time on the outstanding unpaid balance."
Plaintiffs' home equity line of credit was an open end credit plan of the type explicitly exempted from coverage of the EFTA, as illustrated by the way in which Plaintiffs repeatedly took advances on the credit line. See § 1693a(2). Moreover, it was not any sort of "asset account"; it was a credit account. Id. As for Best Practices' checking account, Plaintiffs did not establish it "primarily for personal, family, or household purposes." Id. Rather, they created the account in connection with their business. (Def.'s 56.1 ¶ 3; Marsha Dep. at 8.) Thus, the EFTA did not govern either account. Plaintiffs appeal to congressional intent to protect consumers and cite Cobb, 913 F. Supp. at 1174-75, as an "analogous setting" where the EFTA applied. (Pls.' Mem. of Law in Opp'n to Def.'s Mot. for Summ. J. [hereinafter "Pls.' Mem."] at 13.) This court fails to see the analogy. The court in Cobb, denying a motion to dismiss, held that alleged savings accounts used to pay off personal debts did fall within the EFTA's definition of "accounts." 913 F. Supp. at 1174-75. In contrast, both accounts at issue here clearly fall outside the EFTA's definition of an account.
Because EFTA does not govern either account involved in the disputed transfer, Defendant is entitled to summary judgment on Count II.
E. Negligence
Finally, Plaintiffs claim that Citizens acted negligently in a number of ways. The parties agree that Indiana law applies to this claim. (Def.'s Mem. at 13; Pls.' Mem. at 22 n. 21.) In order to prove negligence in Indiana, a plaintiff must establish a duty owed by the defendant to conform its conduct to a standard of care arising from its relationship with the plaintiff; a breach of that duty; and an injury proximately caused by the breach of that duty. Benton v. City of Oakland City, 721 N.E.2d 224, 232 (Ind. 1999). Plaintiffs here argue that Citizens was negligent in violating the various statutory duties discussed above, and also in failing to sufficiently protect their accounts from fraudulent access in the first place. (Pls.' Mem. at 23-24.)
Plaintiffs also allege in their statement of facts that Citizens received reports from Fiserv about various security threats on the Internet, and that Citizens did not notify them of any such threats. (Pls.' 56.1 ¶ 52.) Plaintiffs have not developed this argument, however, and have not contended that Citizens was negligent in failing to warn them about the various dangers of the Internet. (Pls.' Mem. at 22-25.)
Under Indiana law, violating statutory duties constitutes negligence per se. See Thiele v. Norfolk W. Ry. Co., 68 F.3d 179, 184-85 (7th Cir. 1995) (citing French v. Bristol Myers Co., 574 N.E.2d 940, 943 (Ind. Ct. App. 1st Dist. 1991). Insofar as Plaintiffs' negligence claim rests on Citizens' breach of statutory duties, the negligence claim is largely repetitive of Plaintiffs' other claims; Plaintiffs' evidence on liability and damages will likely be identical. Plaintiffs may, thus, argue that Citizens was negligent in violating the TILA; the statute does not preempt state laws "except to the extent that those laws are inconsistent" with the TILA. §§ 1610(a)(1), 1666j(a). For the reasons explained above, however, Plaintiffs cannot present any evidence of negligence based on the EFTA, as that statute did not apply to the transaction at issue. Supra, section D. Nor may Plaintiffs use a negligence claim to end-run statutory caps on liability; the FCRA provides that consumers cannot bring common law negligence actions based on a defendant's credit reporting, outside of the statutory damages in §§ 1681n-o, "except as to false information furnished with malice or willful intent to injure [the] consumer." § 1681h(e); see also Thornton v. Equifax, Inc., 619 F.2d 700, 705-06 (8th Cir. 1980) (holding, in reversing a libel verdict, that § 1681h(e) has a "higher requirement of proof" than the § 1681n "willful noncompliance" standard for punitive damages); Nwoke v. Countrywide Home Loans, Inc., 251 Fed. Appx. 363, 365 (7th Cir. 2007) (affirming summary judgment in favor of a lender on a negligence claim where plaintiff presented no evidence of malice or willful intent). As discussed above, the record may support a finding that Citizens acted with "reckless disregard" for its statutory duties under the FCRA, but Plaintiffs do not argue that Citizens acted with "malice" or "willful intent to injure" them. (Pls.' Mem. at 22-25.)
The subsection, entitled "Limitation on liability," reads in full:
Except as provided in sections 1681n and 1681o of this title, no consumer may bring any action or proceeding in the nature of defamation, invasion of privacy, or negligence with respect to the reporting of information against any consumer reporting agency, any user of information, or any person who furnishes information to a consumer reporting agency, based on information disclosed pursuant to section 1681g, 1681h, or 1681m of this title, or based on information disclosed by a user of a consumer report to or for a consumer against whom the user has taken adverse action, based in whole or in part on the report except as to false information furnished with malice or willful intent to injure such consumer.
§ 1681h(e).
The unique issue within Plaintiffs' negligence claim is their argument that Citizens breached its duty to sufficiently secure its online banking system. A number of courts have recognized that fiduciary institutions have a common law duty to protect their members' or customers' confidential information against identity theft. See, e.g., Jones v. Commerce Bancorp, Inc., No. 06 Civ. 835, 2006 WL 1409492, at *2 (S.D.N.Y. May 23, 2006); Bell v. Mich. Council 25 of Am. Federation of State, County, Municipal Employees, No. 246684, 2005 WL 356306, at *1 (Mich. Ct. App. Feb. 15, 2005) (per curiam). Although this court could not find an Indiana case addressing the matter, Indiana courts have held that a bank "has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest." Ind. Nat. Bank v. Chapman, 482 N.E.2d 474, 482 (Ind. Ct. App. 4th Dist. 1985) (citing Cont'l Optical Co. v. Reed, 119 Ind. App. 643, 86 N.E.2d 306 (1949)). If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts.
Citizens does not dispute that it had a duty to protect Plaintiffs' account from fraudulent access, but it does contest whether Plaintiffs have produced sufficient evidence of breach or causation. (Def.'s Mem. at 11-12.) Concerning breach, Citizens points to its own expert's opinion that the bank employed reasonable security measures. (Def.'s Mem. at 12; Def.'s Reply at 6.) Citizens makes no mention of the FFIEC Report produced by Plaintiffs. In that 2005 document, the Council described single-factor identification (username/password) as "inadequate" to secure the online transactions of financial institutions. FFIEC Report at 1. Although Citizens notes that it had begun to implement additional security measures at the beginning of 2007, a vice president of the bank admitted that only single-factor identification protected Plaintiffs' account at the time of the theft. (Milne Dep. at 88-89.) In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access.
Although Citizens' terms and conditions contained an exculpatory clause, (Citizens Business Online Banking Internet Banking Agreement at 8, Attach. 2 to Ex. 3 to Def.'s 56.1), Citizens does not argue that the clause released the bank from liability for negligence. Citizens invoked the clause only with respect to the now-dismissed breach of contract count. (Def.'s Mem. at 14-15.)
Citizens also objects that Plaintiffs have failed to produce evidence of causation. (Def.'s Mem. at 12.) It cites Jones v. Commerce Bank, N.A., which held that a plaintiff had failed to establish causation of damages, where the defendant bank had reimbursed the plaintiff's monetary loss. No. 06 Civ. 835, 2007 WL 672091, at *3-4 (S.D.N.Y. Mar. 06, 2007) (denying reconsideration of summary judgment); see also 2006 WL 2642153, at *3 (S.D.N.Y. Sept. 15, 2006) (original grant of summary judgment). The court reasoned that any actual or emotional damages alleged by the plaintiff were caused by the theft of her identity, "not [by] four unauthorized withdrawals that were soon rectified." 2006 WL 2642153, at *3. The Jones rationale is inapplicable here, however; Citizens has not reimbursed Plaintiffs' financial loss, so causation of economic loss remains at issue. Assuming that Citizens employed inadequate security measures, a reasonable finder of fact could conclude that the insufficient security caused Plaintiffs' economic loss. Moreover, concerning Plaintiffs alleged "emotional and mental pain and anguish" (Am. Compl. ¶ 34), the record abounds with evidence that the theft led to a protracted struggle over liability between Plaintiffs and Citizens, including numerous complaints to Citizens and payments to the bank under threat of foreclosure. (Def.'s 56.1 ¶¶ 34-36; Pls.' 56.1 ¶¶ 67-74.) A reasonable finder of fact could conclude that Plaintiffs suffered mental and emotional anguish, and that Citizens' alleged negligence in allowing the theft to occur and then violating the TILA was a proximate cause of the anguish.
Accordingly, the court grants summary judgment insofar as Plaintiffs' negligence claim was based on EFTA or FCRA duties or Citizens' credit reporting practices, but otherwise denies summary judgment on Count V of the Amended Complaint.
CONCLUSION
Defendant's motion for summary judgment [59] is granted in part and denied in part. Summary judgment is denied on the Truth in Lending Act count. Summary judgment on the Fair Credit Reporting Act count is denied insofar as Plaintiffs argue that the bank willfully or negligently breached the FCRA by reporting Plaintiffs' account as delinquent and by omitting information from those reports; however, the thoroughness of the bank's factual investigation is not genuinely at issue. Summary judgment is granted on the Electronic Funds Transfer Act count. Finally, summary judgment on the negligence count is denied, but only insofar as the claim does not rest on the EFTA, the FCRA, or evidence of Citizens' credit reporting practices.