Target. Michaels Stores. Niemann-Marcus. And now, Sally Beauty. They’re the most recent examples of large scale credit and debit card hacking that has reached epidemic proportions.
The pattern is now all-too-familiar: Merchant processors or issuing banks notice fraudulent activity. Investigators and law enforcement gradually circle the location(s) where the security breaches occurred. The merchant posts an “oops” press release on its website and offers credit monitoring services to preserve customer goodwill. Some cardholders notice unauthorized activity and have to deal with their own “issuer” banks while others are tasked with changing their credit card number and perhaps updating online accounts where the card is used. Then everyone moves on, including the banks.
But recent lawsuits filed against Target underscores the tension between the banks issuing the cards and the merchants victimized by point-of-sale malware (suspicious software used to corrupt computer operations).
Most people know that Target faces a raft of class action complaints that purport to represent cardholder victims. Similar class complaints against retailers have had difficulty gaining much traction, since cardholder liability is limited by law, and issuer banks typically scramble to reissue cards to unfortunate customers. So courts have been skeptical of damage claims asserted for classes of cardholders.
But what if the issuer banks themselves become the plaintiffs/class representatives?
Two regional banks (one in Texas, the other in Florida), recently filed a class complaint against Target in a district court near Target’s headquarters, claiming that financial institutions “have been left on the hook for tens, if not hundreds, of millions of dollars as a result of Target’s failure to implement reasonable and industry-standard measures” to guard against card fraud at checkout lanes. Claiming the breach was a “direct and foreseeable result” of failure to implement “reasonable and industry-standard security,” the plaintiff banks claim they suffered losses related to administrative costs, customer reimbursements for fraud, lost interest and transaction fees, and the costs of reissuing cards. In addition to asserting common law tort claims like negligence, the banks sued Target under a state statute providing a private right of action to issuing financial institutions harmed when a breach is the result of the business, in this case, Target, retaining card security code data, PINs, or other encoded matter after authorization of the transaction.
In previous breach-related litigation between banks and merchant processors, where claims have generally been based on torts and not necessarily statutory violations, processors have argued that an issuer bank’s negligence claims are barred by the economic loss doctrine, which requires parties to look solely to contractual remedies. But in a recent case where issuer banks had no direct contractual relationship with the party whose systems were breached, a Federal Circuit Court of Appeals said the economic loss doctrine would not bar claims, at least under the New Jersey law it applied to the dispute.
That court said the merchant processor “had reason to foresee the Issuer Banks would be the entities to suffer economic losses were [the processor] negligent.” Under New Jersey law, the doctrine does not apply when the defendant knows or has reason to know that an identifiable class of plaintiffs is likely to suffer economic damage as a result of its conduct. The appeals court also said while “it seems the Issuer Banks’ remedies vis-à-vis the Acquiring Banks under the regulations are clear because both the Issuer Banks and the Acquirer Banks are members of the Visa and MasterCard networks, any contractual remedies the Issuer Banks have to recoup losses caused by [the processor] are not evident.” In other words, absent clear evidence of a contract, there was no reason to limit tort claims by the banks.
Turning to the recent suits against Target, the first issuer banks that sued Target did not assert contract claims. And with Target’s recent revelations about its own conduct after receiving internal warnings about hacking, plaintiff lawyers may have a number of topics to explore if the lawsuits make it past motions to dismiss.
While it is too early to predict the outcome of any of this litigation, the immediate expectation for retailers is simple: as states enact new data security laws, merchants need to consider the possibility of statutory liability as well as tort liability to parties with whom they do not have a direct contractual relationship.
And what about the issuing banks harmed by a breach? Consider the possibility of claims that may survive contract-based defenses by having your counsel determine which statutes might strengthen your claims.