In an important ruling in December 2014, the United States District Court for the District of Minnesota ruled in favor of banks suing Target over a December 2013 data breach, previously covered by this blog. Target had previously filed a motion asking the court to dismiss the banks’ lawsuit on the grounds that the banks had not stated a claim for which relief could be granted.
Target attacked three claims asserted by the banks. Specifically, Target argued that the banks could not state claims for negligence, negligent omission, or a violation of Minnesota’s Plastic Card Security Act. The court addressed each of the three arguments in detail.
First, the court concluded that the banks suing Target plausibly stated a rationale that Target owed each of the banks a duty. Under Iowa as well as Minnesota law, an entity is only liable for negligence if the entity first owed a duty to the party suffering injury. The court concluded that “Target’s actions and inactions—disabling certain security features and failing to heed the warning signs as the hackers’ attack began—caused foreseeable harm to [banks] . . . . .” As a result, the Court concluded that “[i]mposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.” The court’s conclusion was based in part of the fact that Minnesota has enacted a statute intended to safeguard the security of customer credit card information by limiting the retention period for the data.
Finally, the court ruled that Target may have violated Minnesota’s Plastic Card Security Act. The law governs company retention of customer information. The court concluded that since Target is based in Minnesota the law applies to Target transactions regardless of whether they occur in Minnesota or not. The court concluded that “[e]ven if Target is correct that the hackers’ storage of stolen data on Target’s servers does not implicate the PCSA, Plaintiffs’ claims undoubtedly state a PCSA violation.”
Thus, the lawsuit brought by banks against Target for the 2013 data breach will continue. This case is being litigated alongside a host of other cases brought on behalf of consumers who suffered losses as a result of the breach. Even though it is preliminary, this ruling is important for banks across the country. The court’s conclusion that Target’s cybersecurity failures “caused foreseeable harm” to banks is significant. Since threats from cyberthieves are not going away, banks will continue to face a substantial threat of loss. The litigation against Target may force retailers to share responsibility for this threat.