The case is Shames-Yeakel v. Citizens Financial Bank, U.S.D.C., Northern District of Illinois, Case No. 07-c-5387. In 2007, an unknown person gained access to the plaintiffs' online accounts by using Ms. Shames-Yeakel's username and password. This person ordered a $26,500 advance on a home equity line of credit, which was then transferred to a bank in Austria. When the theft was discovered and the funds traced, the Austrian bank refused to return the money.

According to the plaintiffs, their bank, Citizen's Financial, had a common law duty to protect their account information from identity theft and failed to maintain state-of-the-art security standards. Specifically, the plaintiffs argued, the bank used only single-factor authentication for customers logging into its server (a user name and password) instead of multi-factor authentication, such as combining the user name and password with a token the customer possesses that authenticates the customer’s computer to the bank’s server or dynamically generates a single-use password for logging in.

The judge said in her 2009 ruling that “assuming that Citizens employed inadequate security measures, a reasonable finder of fact could conclude that the insufficient security caused Plaintiffs’ economic loss.”