Target's data breach liabilities mount as credit card issuers' suit proceedsReprints
A federal judge's refusal to dismiss litigation brought by credit card issuers against Target Corp. in the wake of 2013's massive data breach is significant and could influence other courts to hold retailers liable in similar cases.
However, there are elements of this lawsuit that are specific to the Minneapolis-based discount retailer and would not apply to other breach cases, experts say.
Court papers in the litigation filed by the financial institutions, which are seeking class action status, say they have suffered unspecified “substantial out-of-pocket losses” stemming from the 2013 breach.
The Target breach, which cost the company more than $140 million through Nov. 1, 2014, and exposed 110 million customers' payment card numbers, thrust the danger of cyber breaches into the national limelight a year ago.
In his Dec. 2 ruling, Judge Paul A. Magnuson of the U.S. District Court in St. Paul, Minnesota, refused to dismiss the litigation and said plaintiffs can proceed with charges, including negligence, against the retailer.
“At this preliminary stage of the litigation, plaintiffs have plausibly (pleaded) a general negligence case,” according to the memorandum Judge Magnuson issued. “Although the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur.
“Indeed, plaintiffs' allegation that Target purposely disabled the security features that would have prevented the harm is itself sufficient to plead a direct negligence case,” Judge Magnuson wrote.
Litigation filed by consumers in connection with the data breach case also have been consolidated, albeit separately, in Judge Magnuson's court. However, experts say his ruling in the financial institutions case does not provide an insight into how he is likely to rule in that case because different legal issues are involved.
The next major steps in the litigation process will be discovery and, if Target is unsuccessful in having the case dismissed, possibly class certification of the financial institutions.
The ruling essentially holds that, based on the pleadings to date, Target was responsible for the damages the hackers caused even though there was no direct, contractual relationship between the retailer and the credit card issuers.
Judge Magnuson concluded “that there can be a direct duty between the issuing banks and the retailer, and that lets them get over this motion to dismiss hurdle,” said Joshua P. Gunneman, a partner at law firm Rogers & Hardin L.L.P. in Atlanta.
In the absence of a contractual relationship, the judge focuses on “a very traditional legal theory, which is negligence, to impose liability on the company that is hacked,” said Peter S. Selvin, an attorney with Troy Gould P.C. in Los Angeles.
“It's really a significant opinion because, frankly, there's very little case law on what the relationship is between a retailer and the banks that ultimately issue the cards,” said Michelle A. Reed, a partner with Akin Gump Strauss Hauer & Feld L.L.P. in Dallas.
Although Target had claimed it did not have a significant enough relationship with the banks to be liable for the data breach, the judge “essentially circumvented that whole analysis” and held this was a direct negligence case, Ms. Reed said.
She said that “from a legal standpoint it shouldn't matter”; in fact the larger the breach “the more likely the court will find some kind of harm that is not just speculative resulting from the data breach.”
Brian T. Himmel, a partner with Reed Smith L.L.P. in Pittsburgh, said with all the retailer data breaches that have occurred over this past year, the ruling opens the window to new liability exposure for retailers.
While there will not be as immediate an effect, he said financial institutions may get “a little relief” from their underwriters on this issue if the judge's view is eventually supported by the appellate court or by courts in other jurisdictions.
He added, however, that the litigation is still only at the motion to dismiss stage, “so we're a long ways away from being able to assess” the case's effect.
Ruling may be case-specific
Meanwhile, attorneys say that at least to some extent, the judge's ruling is based on the particular facts of the case, and that it may not be widely applicable in other jurisdictions.
Barry Goheen, a partner with law firm King & Spalding L.L.P. in Atlanta, said the judge based his ruling in part on a Minnesota law, the Plastic Card Security Act, which forbids retaining credit card information for more than 48 hours after the transaction is authorized, and not all states have comparable statutes.
Ms. Reed said the ruling underscores the need for retailers to “be prepared ahead of time and make sure they have a proper incident response plan” in place and appropriate lines of authority so there is an immediate response when a red flag appears.
The more reasonable steps retailers take — and document — to protect consumer data, “the more likely they are to survive a conduct-based challenge,” Mr. Gunneman said.