Target for litigation: Court rules in favor of banks suing Target for data breach

In an important ruling in December 2014, the United States District Court for the District of Minnesota ruled in favor of banks suing Target over a December 2013 data breach, previously covered by this blog. Target had previously filed a motion asking the court to dismiss the banks' lawsuit on the grounds that the banks had not stated a claim for which relief could be granted. Target attacked three claims asserted by the banks. Specifically, Target argued that the banks could not state claims for negligence, negligent omission, or a violation of Minnesota's Plastic Card Security Act. The court addressed each of the three arguments in detail. First, the court concluded that the banks suing Target plausibly stated a rationale that Target owed each of the banks a duty. Under Iowa as well as Minnesota law, an entity is only liable for negligence if the entity first owed a duty to the party suffering injury. The court concluded that Target's actions and inactions disabling certain security features and failing to heed the warning signs as the hackers' attack began caused foreseeable harm to [banks] . . . . . As a result, the Court concluded that '[i]mposing a duty on Target in this case will aid Minnesota's policy of punishing companies that do not secure consumers' credit- and debit-card information.' The court's conclusion was based in part of the fact that Minnesota has enacted a statute intended to safeguard the security of customer credit card information by limiting the retention period for the data. Second, the court ruled on Target's claim that the banks cannot maintain a claim for negligent omission. According to the banks, Target knew facts about its ability to repel hackers that Plaintiffs could not have known, and that Target's public representations regarding its data security practices were misleading. The court agreed with the banks that Target's failure to disclose information about deficiencies in its systems could be a basis for relief. However, the court agreed with Target that the banks failed to explain exactly how they relied on Target's non-disclosure. Thus, the court dismissed the banks' negligent omission claim, but gave them an opportunity re-assert it if they can explain how banks relied on Target's omission. Finally, the court ruled that Target may have violated Minnesota's Plastic Card Security Act. The law governs company retention of customer information. The court concluded that since Target is based in Minnesota the law applies to Target transactions regardless of whether they occur in Minnesota or not. The court concluded that '[e]ven if Target is correct that the hackers' storage of stolen data on Target's servers does not implicate the PCSA, Plaintiffs claims undoubtedly state a PCSA violation. Thus, the lawsuit brought by banks against Target for the 2013 data breach will continue. This case is being litigated alongside a host of other cases brought on behalf of consumers who suffered losses as a result of the breach. Even though it is preliminary, this ruling is important for banks across the country. The court's conclusion that Target's cybersecurity failures caused foreseeable harm to banks is significant. Since threats from cyberthieves are not going away, banks will continue to face a substantial threat of loss. The litigation against Target may force retailers to share responsibility for this threat.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.