The Court hearing the Target data security breach litigation issued a ruling on December 2, 2014, largely denying Target’s motion to dismiss the Consolidated Amended Class Action Complaint in the Financial Institutions Cases. In his decision, Judge Magnuson found that Target owed the issuer banks a duty to protect customer data from hackers, a determination that was based on allegations that Target played a “key role” in allowing the break-in to occur by intentionally disabling one of the security features that would have prevented the harm. Decision at 5. At issue in the case is whether Target should be held responsible for the costs incurred by the issuer banks as a result of fraudulent charges and to replace customers’ credit and debit cards.
The importance of the decision is that it provides banks with a legal basis to seek to hold merchants financially responsible for the costs of data breaches if the facts suggest the merchants’ data security systems were deficient.
Of course, this is just the first round in the litigation and the banks will still need to prove their case before imposing liability on Target. That said, this decision is surely a sign of things to come and we will continue to mind the store and report on developments.