A bank that failed to use "multi-factor" authentication (as opposed to only usernames and passwords) may have breached its duty to provide online account security owed to the plaintiff individuals whose home equity line of credit account was breached by a hacker. The U.S. District Court for the Northern District of Illinois denied summary judgment to the defendant, Citizens Financial Bank ("Citizens"), on the negligence claim (although the Court granted summary judgment to Citizens on plaintiffs' Electronic Funds Transfer Act claim and part of their Fair Credit Reporting Act claims). The plaintiffs relied on a 2005 report from the Federal Financial Institutions Examination Council ("FFIEC") that focused on online bank authentication methods, which stated that "single-factor authentication [is] inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties." The court concluded that based on Citizens' delay in implementing the FFIEC multi-factor authentication standards, "a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access."