It theoretically is possible that ATM users would sue your bank after a data breach stemming from a skimmer installed on one of your ATMs, but it is difficult to predict the chances of such a lawsuit hitting your bank, not to mention estimating the potential liability and costs.
(An ATM skimmer is a device installed in an ATM card reader to steal card data, which hackers then use to create counterfeit cards. The Krebs on Security blog has published a series of posts with more details on ATM skimmers.)
In Illinois and across the country, customers have been suing retailers and other businesses over data breach incidents. In Illinois federal courts, Neiman Marcus customers have sued the retailer after it announced that hackers installed malware in its computer systems, potentially exposing 350,000 card numbers to hackers. The class action plaintiffs’ claimed injuries include not just costs related to fraudulent transactions but also time and money lost in protecting against future identity theft, the loss of control over personal information, and more. At this time, we have not seen similar lawsuits filed against ATM owners (whether banks or nonbanks) in connection with ATM skimmers, but ATM users likely could make similar arguments and claim similar injuries as customers hit by a retailer data breach.
It may be possible to obtain cyber risk insurance or other insurance to cover potential losses, if your institution has not already done so. We recommend consulting with an experienced insurance broker and bank counsel for more information on cyber risk insurance.
For resources related to our guidance, please see:
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 692 (7th Cir. 2015) (“The plaintiffs point to several kinds of injury they have suffered: 1) lost time and money resolving the fraudulent charges, 2) lost time and money protecting themselves against future identity theft, 3) the financial loss of buying items at Neiman Marcus that they would not have purchased had they known of the store's careless approach to cybersecurity, and 4) lost control over the value of their personal information. . . . The plaintiffs also allege that they have standing based on two imminent injuries: an increased risk of future fraudulent charges and greater susceptibility to identity theft. ”)