There have been several cases of bank customers suing their banks after a breach that resulted in stolen funds.

The case of Global Title and the bank it sued, as covered by KrebsonSecurity,  is in some ways is typical of these suits. Global Title, a Northern Virginia-based title company, is suing Capital One, "alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One's online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password."

The other area that the case might explore is the bank's response. When a company owner, having noticed that she was frozen out of her account, "visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank's back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1." That cost the plaintiff $200,000.

For banks, there is a lot to ponder here. At some point, more courts may determine that banks are indeed liable for losses even though the responsibility has thus far rested with customers to safeguard their own password information. At a trial, it will certainly not look good for the bank if their practices were found to be outdated and woefully inadequate. So it behooves banks to be able to show that their security practices are in line with federal guidance and that they have worked proactively with customers. 

Capital One seems to understand this. It issued a statement saying that, "Capital One's authentication controls protecting our commercial platforms are compliant with the federal multifactor authentication guidance. These controls are the subject of annual risk assessments to ensure they remain appropriate in light of the threat environment. In the funds transfer realm, among the controls utilized are hard tokens and out-of-band confirmation of payment instructions." This will be interesting to follow.

For more:
- here's the item

Related article:
Mobile banking apps lead to new security issues