Can You Sue a Bank for Identity Theft? Legal Standards, Consumer Protection Laws & Recent Rulings

ByAll About Lawyer Reading Time: 11 minutes

Yes, you can sue a bank for identity theft under specific circumstances. Banks can be held liable through negligence claims when they fail to implement adequate security measures, breach of fiduciary duty when they fail to protect customer information, and violations of federal consumer protection statutes including the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, and Electronic Funds Transfer Act. Success depends on proving the bank’s negligence directly caused your financial losses and that the bank failed to meet its legal duty to protect your information.

Identity theft victims face critical questions: Can your bank be held responsible? What legal standards apply? What damages can you recover? Understanding these issues determines whether you have viable legal recourse.

Legal Basis for Suing Banks for Identity Theft

Banks have a duty to protect customers’ personal and financial information. If a bank negligently handles this information and it results in harm such as identity theft or financial loss, customers may have grounds for a lawsuit based on negligence or breach of duty.

Courts recognize several legal theories for bank liability:

Negligence — To establish negligence, victims must demonstrate the bank owed them a duty of care, the bank breached that duty by failing to meet expected standards, and the breach directly caused damages.

Breach of Fiduciary Duty — A fiduciary duty exists in the special banking relationship where banks must take extra precautions regarding customer personal information. If banks fail to protect this information, they may be held liable for resulting losses.

Breach of Contract — Banks have a duty to fulfill contractual obligations with customers. If banks fail to meet these obligations, such as by improperly handling funds or failing to provide agreed-upon services, customers may sue for breach of contract.

Your Social Security Number May Be Stolen, 740,000 PNC Customers at Risk PNC Bank Again Facing a Class Action Lawsuit Over Data Breach

Federal Consumer Protection Laws Protecting Identity Theft Victims

Gramm-Leach-Bliley Act Requirements

The Gramm-Leach-Bliley Act directs federal banking agencies to ensure financial institutions have policies, procedures and controls in place to prevent unauthorized disclosure of customer financial information and to deter and detect fraudulent access.

Banks should take steps to safeguard customer information including establishing procedures to verify the identity of individuals applying for financial products, establishing procedures to prevent fraudulent activities related to customer information, and maintaining a customer information security program.

The updated Safeguards Rule effective May 13, 2024 introduced more stringent requirements for security practices and data breach notifications, outlining nine specific elements a business’s information security program must include.

Fair Credit Reporting Act Protections

Consumers can sue a business or credit reporting agency in federal or state court for FCRA violations. This can be for actual damages, statutory damages in cases of willful noncompliance, and attorneys’ fees.

The FCRA is not a strict liability statute, and consumers have the burden of establishing that the bank’s investigation was unreasonable. Courts consider factors including the time spent on investigation, whether the bank contacted the individual directly, and whether the bank had sufficient information to suspect identity theft was legitimate.

For willful FCRA violations, damages may include actual losses incurred by the consumer, punitive damages determined by the court, and costs and reasonable attorney’s fees for successful legal actions.

Electronic Funds Transfer Act Liability Standards

The EFTA requires consumers and financial institutions to communicate fraud within certain timeframes to receive limited liability. Consumers will only be held liable for $50 of a fraudulent transaction if reported within 2 days, $500 if reported within 60 days, and potentially unlimited liability after that.

A federal court recently held that banks may be liable under EFTA for failing to investigate and resolve allegedly unauthorized electronic fund transfers, specifically finding that when consumers send payment orders electronically, EFTA applies to that step of the transfer process.

Civil liability for EFTA violations can be up to $1,000 per violation for individual claims. In class action cases, total damages are capped at either $500,000 or 1% of the violator’s net worth, whichever is lower.

Conditions That Must Be Met to Establish Bank Liability

To successfully sue a bank for unauthorized transactions, individuals must establish that the bank was negligent in protecting the account and preventing unauthorized transactions, which could include situations where the bank failed to implement adequate security measures, did not promptly notify the customer of suspicious activity, or did not verify the identity of individuals making transactions.

Key Requirements:

  • Duty of Care — The bank owed you a legal duty to protect your information and prevent identity theft
  • Breach of Duty — The bank failed to meet industry-standard security practices or its own stated policies
  • Causation — The bank’s negligence directly caused the identity theft and your resulting losses
  • Damages — You suffered actual financial losses, not just potential future harm
  • Timely Notification — You notified your bank promptly when unauthorized transactions occurred, as most banks have specific procedures and time limits for reporting such incidents.

What Damages Are Recoverable in Bank Identity Theft Lawsuits

Compensatory damages cover anything you’ve lost due to identity theft, designed to make you “whole.” Examples include money stolen from bank accounts or payments on loans you didn’t take out. Compensatory damages can also cover anxiety or distress that the ordeal caused you.

Punitive damages are designed to punish the person responsible for the crime. They go beyond compensatory damages. Not every state offers punitive damages for identity theft, especially against banks or businesses that allowed or facilitated the theft.

Available Damages Include:

  • Actual financial losses from fraudulent transactions
  • Out-of-pocket costs for credit monitoring and identity restoration
  • Lost wages and time spent resolving identity theft
  • Emotional distress and anxiety damages
  • Credit score damage and higher interest rates paid
  • Attorney’s fees and court costs
  • Statutory damages under federal laws (FCRA, EFTA)

Recent Bank Identity Theft Class Action Settlements (2024-2025)

Capital One $425 Million Settlement

Capital One was ordered to pay $425 million to compensate customers affected by the 2019 data breach. In July 2019, Capital One admitted its systems had been compromised by a cyberattack, compromising the information of over 100 million American customers and approximately 6 million Canadian customers, including names, addresses, phone numbers, email addresses, dates of birth, bank account details, and Social Security numbers.

Those affected solely by the information leak may receive a few dollars to a few hundred dollars. Those who have suffered actual financial losses such as identity theft or a drop in credit score will receive greater compensation.

Days Left, How to Claim Capital One's $425 Million Settlement – Capital One Owes You Money

Evolve Bank & Trust $11.9 Million Settlement

Evolve Bank & Trust agreed to pay an $11.9 million settlement to resolve multidistrict litigation over a 2024 data breach that impacted approximately 18 million individuals. The settlement benefits individuals whose private information was included in files affected by the 2024 data breach, with class members eligible to receive up to $3,000 in documented losses and/or a flat cash payment of $20, plus one year of credit monitoring.

Prudential Financial $4.75 Million Settlement

Prudential Financial agreed to a $4.75 million settlement over a February 2024 data breach during which a cybercriminal organization accessed the personal information of thousands of Prudential customers. Class members can receive equal-share cash payments, compensation for documented out-of-pocket losses, or compensation for exposure of Social Security or tax identification numbers.

Wells Fargo Unauthorized Accounts Settlement

Wells Fargo was fined $250 million in fines and customer compensation after the Consumer Financial Protection Bureau found the bank violated consumer protection laws. As part of a 2020 $3 billion deal, Wells Fargo admitted that between 2002 and 2016 it pressured employees to meet unrealistic sales goals that led thousands of employees to provide millions of accounts or products to customers under false pretenses or without consent.

Statute of Limitations for Suing Banks

The statute of limitations varies by state and type of claim:

  • Negligence claims: Typically 2-4 years from when you discovered or should have discovered the identity theft
  • Breach of contract claims: Generally 3-6 years depending on state law
  • Federal statutory claims: FCRA lawsuits must be filed within 2-5 years depending on whether the violation was willful
  • EFTA claims: Generally within 1 year of the violation

Act promptly. Missing the deadline permanently bars your claim regardless of merit.

Evidence Needed to Prove Bank Liability

To successfully sue a bank, individuals must gather sufficient evidence and documentation to support their claims. This may include bank statements, contracts, correspondence with the bank, witness statements, or expert opinions.

Critical Evidence:

  • Bank statements showing unauthorized transactions
  • Documentation of when you reported the identity theft to the bank
  • Records of the bank’s response and investigation
  • Evidence of inadequate security measures the bank failed to implement
  • Expert testimony on industry-standard banking security practices
  • Documentation of your financial losses and expenses
  • Credit reports showing fraudulent accounts
  • Police reports and FTC identity theft reports
  • Communications with the bank about the fraud

How Courts Determine Bank Negligence in Identity Theft Cases

Courts evaluate whether banks met their duty of care by examining:

Security Measures — Did the bank implement reasonable safeguards consistent with industry standards and federal regulations?

Detection Systems — Did the bank have adequate fraud detection systems to identify suspicious activity?

Response Protocols — Did the bank respond appropriately when notified of potential identity theft?

Verification Procedures — Did the bank establish procedures to verify the identity of individuals applying for financial products and prevent fraudulent activities related to customer information?

Foreseeability — Was the identity theft foreseeable based on known security vulnerabilities or previous incidents?

Common Legal Defenses Banks Raise

Banks typically defend identity theft lawsuits by arguing:

  • Consumer Negligence — The customer failed to safeguard their own information or promptly report suspicious activity (Note: The EFTA specifically states if you are negligent in handling your access card, the bank cannot avoid its EFTA obligations.)
  • Third-Party Responsibility — The identity theft resulted from a third-party data breach, not bank negligence
  • Compliance with Regulations — The bank followed all applicable security standards and regulations
  • Lack of Causation — The customer cannot prove the bank’s actions directly caused their losses
  • Untimely Notification — The customer failed to report the fraud within required timeframes

When Bank Identity Theft Lawsuits Succeed vs. Fail

Lawsuits More Likely to Succeed When:

  • Banks failed to implement basic security measures required by GLBA
  • Banks ignored obvious red flags or suspicious activity patterns
  • Banks delayed investigating or responding to fraud reports
  • Banks violated specific FCRA or EFTA requirements
  • Multiple customers experienced similar identity theft due to bank system vulnerabilities
  • Expert testimony demonstrates the bank’s security fell below industry standards

Lawsuits More Likely to Fail When:

  • The identity theft resulted from the customer’s own negligence
  • The bank promptly investigated and resolved the issue
  • The bank followed all applicable regulations and industry standards
  • The customer cannot prove actual damages or causation
  • The customer missed statutory notification deadlines

Practical Guidance for Evaluating Your Claim

Before pursuing a lawsuit against your bank:

Act Immediately — Contact your bank and other financial institutions to report the theft and temporarily freeze your credit. Report the identity theft to the three credit reporting bureaus: Equifax, Experian, and TransUnion.

Document Everything — Maintain detailed records of all communications with your bank, unauthorized transactions, and expenses incurred resolving the identity theft.

Understand Realistic Outcomes — Going to court to recover losses from identity theft can take time and money. You’ll need to decide if the juice is worth the squeeze in pursuing the damages.

Consider Class Actions — If a data breach affected numerous people, joining a class action lawsuit allows individuals to combine similar claims into one larger, more powerful case against the company.

Consult Legal Counsel — It is important to work closely with an attorney who can help gather and organize evidence effectively and who specializes in banking law for specific advice tailored to your situation.

Recent Legal Developments Affecting Bank Liability (2024-2025)

On May 13, 2024, an amendment to the FTC’s Standards for Safeguarding Consumer Information came into effect, introducing more stringent requirements for security practices and data breach notifications.

Recent federal court rulings have expanded EFTA coverage, finding that consumer wire transfers initiated electronically through online banking portals are subject to EFTA, potentially increasing bank liability for unauthorized wire transfers.

Over 1.13 million reports of identity theft occurred in 2024, with identity theft more prevalent than ever given the amount of sensitive information easily discoverable in today’s digital world.

Frequently Asked Questions

Can you sue a bank for identity theft?

Yes. Banks can be held liable for identity theft through negligence claims, breach of fiduciary duty, and violations of federal consumer protection laws including the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, and Electronic Funds Transfer Act. Success requires proving the bank’s negligence caused your losses.

What legal standards apply to bank liability for identity theft?

To establish bank liability, you must demonstrate the bank owed you a duty of care, the bank breached that duty by failing to meet expected standards or violating contractual obligations, and the breach directly caused your damages. Courts also evaluate whether the bank followed federal security requirements under GLBA.

What damages can I recover in a bank identity theft lawsuit?

Compensatory damages cover actual financial losses including money stolen from accounts, payments on fraudulent loans, and anxiety or distress. Punitive damages may be available in some states, though not every state offers punitive damages against banks. You may also recover attorney’s fees and statutory damages under federal laws.

What is the statute of limitations for suing a bank for identity theft?

The statute of limitations varies by state and claim type, typically ranging from 2-4 years for negligence claims and 3-6 years for breach of contract. Federal statutory claims under FCRA must be filed within 2-5 years. Act promptly as missing deadlines permanently bars claims.

What evidence do I need to sue a bank for identity theft?

You must gather evidence including bank statements, contracts, correspondence with the bank, witness statements, or expert opinions. Document unauthorized transactions, when you reported fraud, the bank’s response, inadequate security measures, your financial losses, and expert testimony on industry standards.

What are recent court rulings on bank liability for identity theft?

Recent federal courts have expanded EFTA coverage, holding banks may be liable for failing to investigate unauthorized electronic fund transfers, specifically finding that consumer-initiated wire transfers sent electronically fall under EFTA protections. Multiple class action settlements in 2024-2025 have resulted in substantial payouts to identity theft victims.

How do I know if I have a viable case against my bank?

Evaluate whether the bank failed to implement required security measures, ignored obvious fraud indicators, violated GLBA, FCRA, or EFTA requirements, delayed investigating your fraud report, or fell below industry security standards. Strong cases involve documented bank negligence, substantial financial losses, timely fraud reporting, and clear causation between bank failures and your damages.

Disclaimer: This information is for educational purposes only and does not constitute legal advice. Bank liability for identity theft varies by jurisdiction, applicable laws, and specific circumstances. Consult official government resources, court records, or an attorney for specific guidance regarding your situation and potential legal claims.

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a former consumer rights attorney who spent years helping clients with issues like unfair billing, product disputes, and debt collection practices. At All About Lawyer, she simplifies consumer protection laws so readers can defend their rights and resolve problems with confidence.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *