In an ironic twist of fate, the United States Court of Appeals for the Third Circuit recently ruled that even financial institutions face a rough road ahead when it comes to recovering damages for data security and identity theft claims.

In the case of Citizens Bank v. Reimbursement Technologies, Pennsylvania financial juggernaut Citizens Bank sued a third-party medical billing company whose employees allegedly accessed personally identifiable information belonging to over one hundred Citizen’s account holders and then used the data to illegally withdraw money from branches across six different states.  Although Citizen’s Bank suit focused on violations of the Stored Communications Act that regulates the disclosure of electronic communications and transactional records held by internet service providers, it also asserted state law causes of action for common law negligence.  However, the district court below ultimately dismissed the federal law action and, in addition, ruled that Citizens Bank’s state law claims failed to state a legally recognized theory of negligence against the defendant.

On appeal to the Third Circuit, the appellate panel was asked to determine whether Citizens Bank’s state law negligence and fraud claims could proceed independently of the federal action.  Citizens Bank argued that the district court erred in also dismissing its negligence claims against the defendant because as a data controller, Reimbursement Technologies owed its patients and their financial institutions a duty to safeguard their personally identifiable information.  The Court of Appeals concluded that Pennsylvania’s five-factor test for determining the existence of a duty required dismissal.  Specifically, the Third Circuit explained that notwithstanding Reimbursement Technologies’ failings, Citizens Bank, itself, was in the best position to prevent its claimed harm and, as a result, liability could not pass to the defendant as a matter of Pennsylvania law.

Citizens Bank represents a proverbial turning of the tables, insofar as the jurisprudence of data privacy and consumer protection has often operated in favor of protecting financial institutions that are sued for failing to protect their customers’ data.  Rarely, if ever, does the law recognize that what is good for the goose is likewise good for the gander, but Citizens Bank clearly indicates that the law concerning cyber security and identity theft is slow to develop irrespective of whether the claimant is an individual or a national corporation.  Thanks to Adam Gomez for his contribution, and please email Brian Gibbons with any questions.