Last week a United States District Court in Minnesota issued its second order this month thwarting Target’s efforts to dismiss litigation spawned by what has been reported to be the largest retail hack in U.S. history affecting as many as 110 million people.
The Breach: The breach is a tale of Eastern European hackers, HVAC contractors and missed opportunities. The plaintiffs allege that late last November Eastern European hackers stole Target’s network credentials from its HVAC contractors. With credentials in hand the hackers were able to gain access to Target’s computer network, upload card-stealing malicious software onto Target’s cash registers, and begin collecting and exfiltrating Targets’ customers’ credit and debit card information.
Although Target had measures in place to detect attacks, plaintiffs contend Target ignored warnings from malware detection and antivirus systems that twice spotted suspicious activity on Target’s network in late November and early December 2013. Plaintiffs allege that Target ignored the alerts while the hackers continued to steal card data from Target’s systems unabated until December 12, 2013 – the day United States Justice Department allegedly alerted Target to the breach and Target began purging its computer systems of the malware.
Plaintiffs further allege that Target did not publicly acknowledge the breach until December 19, 2013, seven days after the Department of Justice notification. During this time plaintiffs allege that stolen customer information quickly flooded the black market and appeared on a card shop website that announced the availability of a new database of stolen cards for prices ranging from $23 to $135 per card.
The Complaints: The breach quickly spawned numerous class action suits that were eventually consolidated into a Minnesota District Court multidistrict litigation that is divided into two groups of plaintiffs – consumers and financial institutions.
The consumers’ amended complaint contains seven counts including violation of consumer protection and data breach laws, negligence, and breach of implied contract. The consumers allege injury including costs from unauthorized charges, loss of use and access to accounts, time spent addressing data breach issues, and diminution of value in their personal information.
The financial institutions’ amended complaint contains four counts including negligence and violation of the Minnesota Plastic Card Security Act. The financial institutions allege injury including costs for reissuing cards, changing or closing accounts, notifying customers of the breach, and refunding customer losses.
The Motions to Dismiss: In response to the consolidated amended complaints by both groups of plaintiffs Target moved to dismiss. Target’s motion to dismiss the consumer complaints asserted lack of subject matter jurisdiction and failure to state a claim. Its motion against the financial institutions focused solely on failure to state a claim.
Following hearings on Target’s motion to dismiss, the court issued a December 2, 2014 Order (financial institution cases) and a December 18, 2014 Order (consumer cases) granting in part and denying in part each motion. The result is both cases will move forward with a significant number of the claims still in play.
Of the seven counts in the original consumer amended complaint, one count remains intact (breach of implied contract), four were dismissed in part, one was dismissed without prejudice to amend, and one was dismissed with prejudice (bailment). Of the four counts in the original financial institution amended complaint, three remained intact, and one was dismissed without prejudice to amend. A summary of the consumer and financial industry counts, allegations and the disposition of each count can be found here.
The court’s decision in the consumer cases is notable because similar cases have been dismissed for lack of an injury sufficient to confer subject matter jurisdiction on the court. For example, consumers in past cases have pled injury due to fraudulent charges, expenses paid for credit monitoring services and heightened risk of future identity theft. The courts however have generally found such allegations insufficient to confer jurisdiction because: (i) bank typically reimbursed customers for fraudulent charges, (ii) identity theft protection services do not qualify as actual injury, and (iii) prospective damages are insufficient to confer jurisdiction. Moreover, even when there is some hint of injury, courts frequently find that plaintiffs are unable to tie the alleged injury to the breach.
Unlike most of these prior cases, the Target court’s decision in the consumer cases found that plaintiffs’ allegations of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees … plausibly allege that they suffered injuries ‘fairly traceable’ to Target’s conduct.” What is more, the court did not require plaintiffs to plead that fraudulent charges were unreimbursed, or to specifically tie the alleged injury to the breach. Thus, customer suits involving cybersecurity breaches that have failed in other jurisdictions may find a warmer reception in Minnesota.
Takeaways: This case highlights some areas companies can focus on to both better protect customers from injury and mitigate litigation risks in the context of the NIST Cybersecurity Framework’s core functions – Identify, Protect, Detect, Respond, and Recover:Identify what data you are collecting and storing, where it is being stored and how long it is retained at each location; Encrypt personal data whenever possible; Segregate personal data storage and networks from other systems; Limit system access and data access by third party vendors and audit third party vendor security; Develop a plan to promptly assess the impact of cybersecurity activity and events on your network, take defensive action and escalate incidents to directors as necessary; and In the event of a breach, be prepared to react quickly with forensics and legal teams who can assess the scope of theft and provide an expedient response including stopping the breach activity, restoring systems and providing prompt notice of the breach.
These are a few cybersecurity plan considerations highlighted by the allegations in the Target cases. There are many more components to a comprehensive cybersecurity plan addressing all of the core functions under the NIST Cybersecurity Framework.