The opinion of the court was delivered by: Rebecca R. Pallmeyer United States District Judge
MEMORANDUM OPINION AND ORDER
Defendant Citizens Financial Bank is a federally insured savings bank with branch locations in northwest Indiana and the Chicago area. Plaintiffs Marsha and Michael Shames-Yeakel were customers of Citizens who fell victim to identity theft when an unknown person gained access to their online account and stole $26,500 from a home equity credit line. When Plaintiffs refused to pay Citizens for the loss, the bank reported their account as delinquent to the national credit bureaus and threatened to foreclose on Plaintiffs' residence. In response, Plaintiffs brought this action, alleging violations of the Truth in Lending Act ("TILA"), the Electronic Funds Transfer Act ("EFTA"), the Fair Credit Reporting Act ("FCRA"), and the Indiana Uniform Consumer Credit Code ("IUCCC"), as well as negligence and breach of contract, seeking actual and punitive damages. Shortly after Defendant moved for summary judgment, Plaintiffs voluntarily dismissed their IUCCC and breach of contract claims (Counts IV and VI), leaving four counts for consideration in this motion for summary judgment. For the reasons stated below, the motion is granted in part and denied in part. Summary judgment is granted with respect to the EFTA claim (Count II), granted in part on the FCRA and negligence claims (Counts III and V), and otherwise denied.
I. Plaintiffs' Relationship with Citizens
Plaintiffs are a married couple who reside in Crown Point, Indiana. (Marsha Shames-Yeakel Dep. [hereinafter "Marsha Dep."] at 5, Ex. 1 to Citizens' Statement of Facts Pursuant to LR 56.1 [hereinafter "Def.'s 56.1"].) Since 2005, Plaintiff Marsha Shames-Yeakel has operated "Best Practices," an accounting and bookkeeping business, from her home. (Def.'s 56.1 ¶¶ 1--2; Marsha Dep. at 5.) Plaintiff Michael Shames-Yeakel also works under the Best Practices name, offering his services to various companies as a project manager and computer programmer. (Def.'s 56.1 ¶ 4.) Best Practices owned a business checking account with Citizens, distinct from Plaintiffs' personal accounts with the bank. (Plaintiffs' Response to Def.'s Statement of Facts Pursuant to LR 56.1 and Statement of Additional Facts [hereinafter "Pls.' 56.1"] ¶ 3.)
In April 2003, Plaintiffs opened a $50,000 home equity line of credit from Citizens. (Def.'s 56.1 ¶ 6; Pls.' 56.1 ¶ 6.) The parties agree that Plaintiffs took four advances on the credit line, although they disagree about whether the purchases were primarily personal or commercial in nature.*fn1 (Def.'s 56.1 ¶ 7; Pls.' 56.1 ¶ 7.) Plaintiffs used the first advance to make a down payment on a loft in Chicago. (Marsha Dep. at 28: 4--5.) Ms. Shames-Yeakel referred to the loft as an "investment" in her deposition (id.), but she explained that she owns the loft jointly with her son, who uses the loft as his personal residence, and that the property constitutes an investment only insofar as Plaintiffs hope to sell it for a profit when their son ultimately moves out of it. (Id. at 28: 15--17; Marsha Decl. ¶¶ 3--7, Ex. 1 to Pls.' Resp.) With the second advance, Plaintiffs paid off the balance they owed on their two cars, one primarily used by Ms. Shames-Yeakel and one by Mr. Shames-Yeakel.*fn2 (Def.'s 56.1 ¶¶ 7--8; Michael Shames-Yeakel Dep. [hereinafter "Michael Dep."] at 29--30, Ex. 2 to Def.'s 56.1.) Defendant contends that Plaintiffs used the vehicles for Best Practices business (Def.'s 56.1 ¶ 7--8), but Plaintiffs respond that they purchased the cars before Ms. Shames-Yeakel formed Best Practices, and that Plaintiffs at all times continued to use the vehicles for personal purposes, merely taking tax deductions for certain mileage attributable to business travel. (Pls.' 56.1 ¶ 7--8; Michael Dep. at 31: 5--6.) Neither party offers evidence about the proportion of personal versus business mileage on the cars. Plaintiffs used their third credit advance to pay for a new roof for their personal residence, which includes a home office for Best Practices. (Def.'s 56.1 ¶ 7.) And finally, Plaintiffs used funds from a fourth advance to purchase a car for their daughter. (Id.) In 2006, Plaintiffs "linked" the credit line to their Best Practices business checking account, enabling them to transfer funds online between the accounts. (Id. ¶ 9, 11.) Plaintiffs used this feature primarily to make payments on the home equity credit line from their business checking account. (Id. ¶ 11.)
II. The Disputed Transactions
Unfortunately, the history of Plaintiffs' home equity credit line does not end there. On February 13, 2007, an unknown person with an IP address different from that of Plaintiffs gained access to Plaintiffs' online Citizens accounts by using Ms. Shames-Yeakel's username and password.*fn3 (Def.'s 56.1 ¶ 20; Pls.' 56.1 ¶ 20.) This person ordered a $26,500 advance on Plaintiffs' home equity credit line and initially deposited that amount into Plaintiffs' business checking account. (Def.'s 56.1 ¶ 21.) From there, the thief wired the funds to a bank in Hawaii, and from Hawaii to a bank in Austria. (Id.) Ten days later, Plaintiffs called Citizens to report the unauthorized transfer, but it was too late. (Id. ¶ 22.) Citizens contacted the Hawaiian bank, and the Hawaiian bank in turn contacted the Austrian bank, but the Austrian bank ultimately refused to return the funds. (Milne Dep. at 39, Ex. 6 to Def.'s 56.1.) A Citizens investigation revealed that the account in Hawaii that had received the stolen funds was held in the name of "JV Financial." (Def.'s 56.1 ¶ 28.) Deborah Milne, a vice president of Citizens, tried but failed to contact JV Financial directly. (Id. ¶ 29.) Another Citizens vice president, Rebecca Rees, supervised a subsequent investigation into the theft. (Id. ¶ 32.) After analyzing the available data, Rees identified the specific IP address from which the thief had ordered the transfer. (Id.) An activity report produced by the online banking system showed that the person had logged on using Ms. Shames-Yeakel's username and password. (Id. ¶ 24.) An expert retained by Citizens testified that in his opinion, the bank's investigation was "reasonable and conducted properly."*fn4 (Id. ¶ 33.)
Once Milne determined that Citizens would not be able to retrieve Plaintiffs' funds, the bank sent Plaintiffs a letter notifying them that the bank intended to hold them liable for the loss, presumably pursuant to the terms of plaintiffs' online banking agreement (Id. ¶ 30.) Specifically, the "Business Online Banking Application" form that Plaintiffs completed required them to agree to associated terms and conditions. (Id. ¶¶ 12, 16; Citizens Business Online Banking Application, Attach. 1 to Ex. 3 to Def.'s 56.1.) Among those terms and conditions was a disclaimer stating, "We will have no liability to you for any unauthorized payment or transfer including wire transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice." (Citizens Business Online Banking Internet Banking Agreement at 8, Attach. 2 to Ex. 3 to Def.'s 56.1.) Neither side offers evidence of how, if at all, Citizens' online banking for businesses differed from its online access for personal accounts.
The Office of Thrift Supervision ("OTS"), a federal agency within the Department of the Treasury, also reviewed the dispute between Citizens and the Shames-Yeakels, at the request of Ms. Shames-Yeakel. (Def.'s 56.1 ¶ 41; Letter from Ozburn to Shames-Yeakel of July 27, 2007, Attach. 5 to Ex. 3 to Def.'s 56.1.) On July 27, 2007, the agency issued a letter to Plaintiffs opining that neither the Truth in Lending Act nor the Electronic Funds Transfer Act governed their situation and concluding that the agency therefore had no regulatory objection to Citizens holding them liable.*fn5 (Letter from Ozburn to Shames-Yeakel of July 27, 2007.)
Plaintiffs made several complaints to Citizens after the bank began billing Plaintiffs for the $26,500, but to no avail. (Pls.' 56.1 ¶ 60.) Citizens' loan management department merely confirmed as accurate the amount shown in the account's balance. (Stur Dep. 53--56, Ex. 4 to Pls.' Resp.) When Plaintiffs failed to make full payments*fn6 on the balance, Citizens began reporting the account as delinquent to national credit bureaus. (Def.'s 56. ¶ 35.) In response, Plaintiffs filed at least 19 "credit reporting disputes" with credit bureaus, which were passed along to Citizens for investigation pursuant to the Fair Credit Reporting Act. (Pls.' 56.1 ¶ 61; Ex. 14 to Pls.' Resp.) Plaintiffs assert that the bank failed to perform any investigations in response to the credit reporting disputes (Pls.' 56.1 ¶ 61), although they do not contest that Defendant responded to every dispute and in addition wrote two letters to Plaintiffs about the issue. (Def.'s ¶¶ 38--39.) Apparently, the bank in all cases verified the accuracy of the account's balance but refused to reconsider its decision to hold Plaintiffs liable. (Pls.' 56.1 ¶ 61; Def.'s 56.1 ¶¶ 38, 40.) According to credit history reports produced by Plaintiffs, the delinquencies reported by Citizens are the only late payments in either Plaintiff's credit history. (Ex. 15 to Pls.' Resp.) The parties fail to address whether Citizens advised the credit bureaus that the debt was contested, but neither of Plaintiffs' credit histories (both from Experian) note the disputed nature of the debt. (Id.) Beyond reporting Plaintiffs to the credit bureaus, Citizens in August 2007 sent Plaintiffs a "Notice of Default and Right to Cure" letter, threatening to foreclose on Plaintiffs' home should they continue to refuse to make payments on the account. (Letter from Johanson to Shames-Yeakel of Aug. 28, 2007, Ex. 17 to Pls.' Resp.) Thereafter, Plaintiffs began making payments under protest. (Pls.' 56.1 ¶ 72; Letter from Shames-Yeakel to Johanson of Mar. 1, 2008, Ex. 18 to Pls.' Resp.)
III. Citizens' Security Measures
Because Plaintiffs have alleged a state law claim of negligence, the bank's security practices are also relevant to this case. Citizens contracts with a third party named Fiserv to provide its online banking services. (Def.'s 56.1 ¶ 14.) As part of this relationship, Fiserv provides "information security services" intended to keep information such as online login credentials secure. (Id.) Defendant claims, and Plaintiffs do not dispute, that Fiserv has a reputation in the banking industry for providing high-quality services.*fn7 (Id.) In addition to security services provided by Fiserv, Citizens requires all online banking customers to use passwords of their own creation. (Id. ¶ 15.) It also restricts access to its online banking system to those employees who have a business need to access the system. (Id.) An information security expert retained by Citizens opined that the bank's security measures "were reasonable and not the cause of the unauthorized transfer."*fn8 (Scholl Report, Ex. 8 to Def.'s 56.1.)
Plaintiffs do not dispute these facts, but they nevertheless argue that Citizens' online banking security lagged behind industry standards. Specifically, Plaintiffs claim that Citizens failed to guard access to Plaintiff's account with adequate security features at the time of the theft. (Pls.' 56.1 ¶¶ 47--49.) Citizens protected access to Plaintiffs' online accounts simply by means of a user name and password, or "single-factor identification." (Milne Dep. at 88--89, 90: 16--20, Ex. 8 to Pls.' Resp.) In contrast, "multifactor identification" checks against multiple data points, beyond user ID and password, to verify the identity of users attempting to log on to a system, thereby adding an additional layer of security. (Scholl Dep. at 35--36, Ex. 6 to Pls.' 56.1.) Plaintiffs argue that Defendant should have provided them with a security feature known as a "token." (Pls.' 56.1 ¶ 49.)
Mark Scholl, Citizens' own expert, explained that a token is an object possessed by a user, either as a digital object saved to the user's computer or as a physical device carried by the user. (Scholl Dep. at 38--39.) Tokens can provide additional security in various ways, for instance by generating ever-changing pass codes or by identifying a user's specific computer to the bank's website.*fn9 (Id.) At the time of the unauthorized access to Plaintiffs' account, Citizens was in the process of issuing physical tokens to its users, in the form of small devices that would fit on a key chain and were to generate ever-changing eight-digit pass codes. (Milne Dep. at 88.) Once in possession of a token, the bank's customers were to log on to Citizens' online banking system using the token-generated number in addition to a PIN and username the user had established. (Id. at 87--88.)
To support their contention that Citizens should have had such security measures in place at an earlier date, Plaintiffs cite a 2005 document entitled "Authentication in an Internet Banking Environment"*fn10 authored by the Federal Financial Institutions Examination Council ("FFIEC"). (Pls.' 56.1 ¶ 47.) The FFIEC is an interagency body that advises a number of federal agencies on appropriate standards for the regulation of financial institutions. See generally About the FFIEC, http://www.ffiec.gov/about.htm. The "Authentication" document issued by the Council discusses a number of security measures, including tokens, available to banks that offer online banking services. FFIEC, AUTHENTICATION IN AN INTERNET BANKING ENVIRONMENT [hereinafter "FFIEC Report"] 2, 7--14 (2005), http://www.ffiec.gov/pdf/authentication_guidance.pdf. Notably, although the report "does not endorse any particular technology," it states,
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services.... Account fraud ...