A federal judge on Tuesday handed an early victory to banks in their effort to recoup losses from a major breach last year at Target. More than 40 million credit cards were compromised in the incident.
A United States District Judge in Minnesota, Paul A. Magnuson, rejected Target’s bid to dismiss lawsuits by financial institutions that claim Target had played a “key role” in allowing its computer systems to be compromised.
The ruling is one of the first court decisions to clarify the legal confusion between retailers and banks in data breaches. In the past, banks were often left with the financial burden of a hacking and were responsible for replacing stolen cards. The cost of replacing stolen cards from Target’s breach alone is roughly $400 million — and the Secret Service has estimated that some 1,000 American merchants may have suffered from similar attacks.
The Target ruling makes clear that banks have a right to go after merchants if they can provide evidence that the merchant may have been negligent in securing its systems.
While the lawsuit continues, lawyers say this early ruling could have widespread impact in the onslaught of data breach cases this year. The judge ruled that charges that Target ignored security software alerts and disabled some of its security features was enough for the banks to pursue a claim of negligence.
“The allocation of risk in any data breach is a hot-button issue,” said Craig Newman, managing partner of Richards Kibbe & Orbe. “What this ruling means is that the banks won’t necessarily be left holding the bag if the merchant was negligent in the way it maintained and safeguarded customer information.”
In the past, the liability for breaches was governed by a complex series of contracts between merchants, payment processors and credit card companies.
Mr. Newman said that Tuesday’s ruling was the beginning of a new “legal road map in determining who’s responsible for paying the significant costs associated with a hacking incident.”
Five banks — including Umpqua Bank in Roseburg, Ore.; Mutual Bank in Whitman, Mass.; Village Bank in St. Francis, Minn.; CSE Federal Credit Union in Lake Charles, La.; and First Federal Savings Bank in Lorain, Ohio — are pursuing class-action status and seeking millions of dollars in damages. (Consumers are also pursuing separate class-action suits related to the breach).
“Plaintiffs have plausibly alleged that Target’s actions and inactions — disabling certain security features and failing to heed the warning signs as hackers’ attack began — caused foreseeable harm to plaintiffs,” Judge Magnuson wrote in his ruling on Tuesday. “Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.”
Target declined to comment, citing a policy not to comment on active litigation.
At the time of its breach last year, Target had installed a $1.6 million advanced breach detection technology from the company FireEye.
But according to several people briefed on its internal investigation who spoke on the condition of anonymity, the technology sounded alarms that Target did not heed until hackers had already made off with credit and debit card information for 40 million customers and personal information for 110 million customers.