Lawsuit after KeyBank breach heralds potential changes in cyber liability

A close-up photo of U.S. dollars.
A close-up photo of U.S. dollars. (Photo Illustration by Alex Wong/Getty Images)

Just days after KeyBank publicly announced late last Friday that an untold number of its mortgage customers had their information stolen, the Cleveland-based financial institution was slapped with a lawsuit that claims both the bank and a third-party service provider were negligent in monitoring and controlling potential IT security issues.

If this federal court case proceeds, and gains class-action status that the litigants are seeking, it could further alter already evolving compliance and liability concerns for banks and other U.S. financial institutions that get hacked — putting more responsibility on them to be proactive and thorough in their IT security efforts. The lawsuit might also delve deeper into the legalities and compliance issues when bad actors attack a financial institution through an outside vendor, as was the apparent case with the recent KeyBank hack.

While KeyBank would not verify the number of affected customers, the federal lawsuit claimed that it exceeded at least 100 people in various states and, by its accounting, damages already amount to more than $5 million for affected customers, not including interest and some other costs. With $187 billion in assets and operating in 15 states, KeyBank, the main subsidiary of KeyCorp, is one of the 25 largest banks in the country.

“Unfortunately, instead of well thought out cyber-defense strategies, the driving force behind cybersecurity efforts may be negligence lawsuits,” said Jeff Williams, co-founder and chief technology officer at Contrast Security.

According to the lawsuit citing the bank’s own annual report, the bank earned $131 million in consumer mortgage income last year, “suggesting a large number of loans [were] originated and/or serviced by the defendants,” the lawsuit alleged. The lawsuit also claimed that despite recent notification of the potential compromise, many KeyBank customers “have already been subjected to violations of their privacy and have been exposed to a heightened and imminent risk of fraud and identity theft.

Potentially impacted KeyBank customers were notified of the breach in a letter on Aug. 26.

The Midwestern super-regional bank released a statement the Friday before the Labor Day weekend, verifying that an unnamed number of the bank’s home mortgage borrowers had their personal data compromised when the bank’s insurance service provider, Overby-Seawell Company (OSC), was hacked in early July. “We take this matter very seriously and have notified all affected individuals,” the bank’s recent statement said.

The bank reported that vender OSC informed the FBI about the breach, and the insurance servicer had already brought in outside cybersecurity experts to investigate. In the late August letter, KeyBank said that OSC would cover expenses for the bank’s affected mortgage borrowers to have Equifax identity protection service for two years.

The bank maintained in its recent statement that it was not made aware of the July 5 OSC breach until a month later, on Aug. 4. Compromised mortgage-holder data was said to potentially include property addresses, bank account numbers, insurance account policy numbers, insurance account information, phone numbers and the first eight digits of Social Security numbers.

However, cybersecurity experts, the legal community and bank customers have questioned that handing out identity protection coverage to customers may be too little, too late. For its part, the lawsuit, which emerged quickly compared to other financial breach-related litigation, has claimed that KeyBank and its vendor OSC were negligent by not doing enough to monitor, inspect and control their own IT security.

While Williams pointed out that “in the real world, it’s possible for banks to get robbed despite elaborate security defenses... [but] in cyberspace, at least according to the KeyBank lawsuit, any breach must mean that the defendant has 'unreasonably deficient data security measures and protocols.'”

In the past couple of years, more financial companies are not only admitting to having been breached, but litigation and regulatory actions are emerging with greater frequency. And increasingly they have alleged that these financial institutions, and often their outside service providers, are not doing enough to stem the tide of financial cyber threats. Indeed, previous settlements in financial data-breach cases have included: Capital One, which paid out $190 million to affected customers and $80 million to settle regulatory actions; Morgan Stanley, which paid $120 million, including civil penalties paid to regulators; and Equifax, which was forced to pay $700 million to settle claims by customers and regulators.

“We will continue to see negligence lawsuits decided by woefully unprepared judges for the foreseeable future,” Williams said. “The results are going to be wildly unpredictable… and lead to bad precedent.”

The crux of the problem, Williams added, is that while there are “a litany of cybersecurity standards that definitely can be used by plaintiffs to establish a duty of care ... there are virtually no companies that fully meet these standards.” Case in point: The OWASP Top Ten, written by Williams himself 20 years ago and “updated many times, was intended to establish a 'low-water mark' for application security. But [it] is almost never met.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.