In an important ruling in December 2014, the United States District Court for the District of Minnesota ruled in favor of banks suing Target over a December 2013 data breach, previously covered by this blog. Target had previously filed a motion asking the court to dismiss the banks’ lawsuit on the grounds that the banks had not stated a claim for which relief could be granted.
Target attacked three claims asserted by the banks. Specifically, Target argued that the banks could not state claims for negligence, negligent omission, or a violation of Minnesota’s Plastic Card Security Act. The court addressed each of the three arguments in detail.
First, the court concluded that the banks suing Target plausibly stated a rationale that Target owed each of the banks a duty. Under Iowa as well as Minnesota law, an entity is only liable for negligence if the entity first owed a duty to the party suffering injury. The court concluded that “Target’s actions and inactions—disabling certain security features and failing to heed the warning signs as the hackers’ attack began—caused foreseeable harm to [banks] . . . . .” As a result, the Court concluded that “[i]mposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.” The court’s conclusion was based in part of the fact that Minnesota has enacted a statute intended to safeguard the security of customer credit card information by limiting the retention period for the data.