The typical lender liability lawsuit is premised on an allegation that a bank has violated some “duty” owed to a bank customer or even a third party. Sometimes that duty arises under contract and sometimes under common law such as for negligence. In the recent case of Wells Fargo Bank v. Jenkins, the Georgia Supreme Court grappled with the issue of whether a party can  sue  a bank for negligence based upon an alleged violation of a federal statute where the federal statute itself does not contain such a remedy. The case arose out of an identify theft situation. Stephen Jenkins was a former customer of a financial institution acquired by Wells Fargo Bank (the “Bank”). A teller improperly accessed Jenkins’s confidential information and gave it to her husband, allowing the husband to steal Jenkins’s identity. Jenkins asserted claims that the Bank negligently failed to protect the information, breached a duty of confidentiality, and invaded his privacy. The trial court granted the Bank’s motion for summary judgment but the Georgia Court of Appeals reversed that decision and held that the allegations of his complaint established the elements of negligence.

Jenkins argued that the Bank had violated the Gramm–Leach–Bliley Act (“GLBA”),15 USC § 6801 et seq., which imposes a general legal duty upon the Bank to protect a customer’s confidential personal information. GLBA does not, however, create a private right of action for aggrieved parties. The Court of Appeals found that Jenkins lawsuit could proceed under a Georgia statute, OCGA § 51–1–6 which states “[w]hen the law requires a person to perform an act for the benefit of another or to refrain from doing an act which may injure another, although no cause of action is given in express terms, the injured party may recover for the breach of such legal duty if he suffers damage thereby.” The Georgia Supreme Court reversed the decision on the basis that in order to invoke the Georgia statute, there must be the alleged breach of a legal duty with some ascertainable standard of conduct. When the court looked at the privacy provisions of GLBA it found that the statute itself did not contain a specific standard of conduct or care by financial institutions and that implementation of GLBA was left to the appropriate federal agencies to enforce by regulations and  rule making. In reversing the Court of Appeals, the Supreme Court concluded as follows: “Simply, the Court of Appeals has misread an aspirational statement of Congressional policy expressed in 15 USC § 6801(a) as establishing a legal duty, the alleged breach of which would give rise under the law of this State to a cause of action for negligence against financial institutions. Congress did not see fit to impose such a duty under § 6801 (a), and this Court will not usurp legislative authority by inferring or supplying one.”

Notch a win for the banks on this one but just keep in mind that identity theft continues to be a hot topic in the courts and banks can expect to see more of it as criminals weave more and more sophisticated methods for stealing consumer information. The law concerning privacy and potential liability for loss for consumer information is a complex web involving a number of state and federal laws and regulations which are then enforced by entities such as the Federal Trade Commission, banking regulatory agencies, State Attorneys General and plaintiffs’ law firms.  Whether a bank gets sued can depend on many factors including how many people have been affected, the size of the loss, political factors and how the bank first responds to situations when they are first brought to the bank’s attention. Most importantly, when something occurs and claims are made, contact legal counsel as soon as possible so that potential legal and reputational risk can be evaluated early on in the process.