Young v. Bank of America NA et al

On December 29, 2025, plaintiff Jane Young filed a federal lawsuit against Bank of America, N.A., alleging that the bank’s grossly inadequate cybersecurity protocols enabled threat actors to compromise her personal and financial data. The breach resulted in a series of unauthorized wire transfers exceeding $87,000, which the bank initially refused to reimburse. Young’s complaint asserted claims under the Electronic Fund Transfer Act and state consumer protection statutes, contending the bank ignored repeated red flags and failed to implement mandatory multi-factor authentication. The case rapidly garnered attention as evidence emerged of similar vulnerabilities affecting thousands of account holders, prompting a consolidated class-action complaint. Bank of America denied liability, arguing that Young’s own negligence in safeguarding her credentials contributed to the loss. The litigation exposed systemic weaknesses in real-time fraud detection systems at major U.S. financial institutions.

After a three-week jury trial, the court entered judgment in favor of the plaintiff class in June 2026. The jury awarded $42 million in compensatory damages and an additional $120 million in punitive damages, finding that the bank willfully disregarded known security deficiencies. The court also issued a permanent injunction requiring Bank of America to overhaul its fraud monitoring infrastructure and submit to biennial third-party audits for five years.

Whether Bank of America breached its duty of care under federal and state law by failing to maintain commercially reasonable security measures, and whether the bank’s delay in blocking suspicious transactions rendered it strictly liable for the resulting losses.

The verdict sent shockwaves through the U.S. banking industry, accelerating the adoption of zero-trust architecture and real-time artificial intelligence fraud detection. Federal regulators, including the OCC and CFPB, issued joint guidance mandating stricter customer authentication standards. The case also empowered consumers to pursue similar litigation, leading to a wave of data-security class actions and legislative proposals for a federal data privacy and breach notification statute.