Banks Can Sue Retailers for Data Breaches
Credit card issuing banks can sue retailers for damages that result from data breaches.
On December 2, 2014, a district judge in Minnesota ruled
that a group of credit card issuing banks can continue their suit against Target (headquartered in Minnesota) for damages stemming from the December 2013 data breach that led to the theft of about 40 million consumer credit card numbers. Target had sought to dismiss the suits arguing that the banks’ did not allege sufficient facts to establish a claim. The court reviewed the banks’ allegations and found sufficient facts that established their claims.
Retailers should be on notice. This ruling could signify the start of suits by credit card issuing banks against retailers if they fall short in securing their information technology (IT) and point-of-sales (POS) systems, and those failures lead to damaging data breaches. While the Minnesota ruling does not comment on the merits of the banks’ case against Target, it does present a shift in the allocation of responsibility amongst the various parties to a credit card transaction. Previously, credit card issuing banks suffered the costs of replacing compromised credit cards. The present ruling recognizes a bank’s right to compensation and affords recourse to file suit.
In the ruling, the Minnesota court considered Target’s activities leading up to the breach, the likelihood of harm stemming from such activities, the relationship and obligations that Target had towards the banks and general policies of fairness. The court found that the banks plausibly alleged that Target’s actions and inactions – including “disabling certain security features and failing to heed warning signs” as the breach began, created a foreseeable harm to the banks. Additionally, sufficient facts showed the possibility that Target’s actions “exacerbated the harm” the banks suffered. The court also found it plausible to hold Target “solely able and solely responsible” for safeguarding credit card information. Lastly, the court applied Minnesota’s public policy of “punishing companies that do not secure consumers’ credit- and debit-card information” and found it plausible that Target had failed to do so.
Additionally, the court found sufficient facts alleging that Target may have also breached its duty to disclose its data privacy and security posture. The court, restating the banks’ allegations found it possible that only Target was privy to special facts pertaining to data security, and Target’s “public representations regarding its data security practices . . . were misleading. Target held itself out as having secure data systems [but knew] that it did not have secure systems and had taken affirmative steps to make its systems more vulnerable to attack.”
The banks are also using Minnesota’s Plastic Security Card Act (PSCA) as a cause of action. Somewhat unique to Minnesota, the PSCA allows the banks to seek reimbursement from Target for violating portions of the Act. In this case, even though many of the breaches occurred on POS systems outside of Minnesota, the court noted that the statue does not concern itself with where the loss occurred, but that the loss was caused by a Minnesota business. Hence, Target and its data policies are governed by the PSCA.
The court ruling also lends legal credibility to banks’ claims against retailers. Previously, credit card processors like Visa and MasterCard, only as part of their operating regulations, had procedures that allow banks to make claims in the event of data breaches. Now, there is some judicial bolster to such claims.
Ultimately, retailers should be aware that deficiencies in their data privacy and security operations have increased implications when it comes to financial institutions. This current trend underscores the expanding policy of holding retailers liable for their roles in data breaches. Retailers should see this as a call to adopt stronger data security and privacy practices.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.