In addition to consumer class actions, Target is now facing multiple suits filed by financial institutions across the country in the wake of the retailer’s massive data breach.
Frustrated at the administrative costs – refunding or crediting customers for unauthorized transactions; notifying cardholders of the breach; closing an account or blocking transactions on it and then opening a new account; and issuing new cards for an account, among other tasks – banks and credit unions are seeking payment from Target for the company’s alleged failure to use industry-standard security methods.
The facts commonly alleged in these actions are as follows: Between November 27 and December 15, the credit and debit card information of an estimated 40 million Target customers was stolen by hackers. The card information included cardholder names, card numbers, expiration dates, security validation codes, and even encrypted debit PINs. Despite becoming aware of the breach on December 11, Target did not notify customers until December 19. And while the retailer initially denied it, in January the company admitted that an additional 70 million customers had their personal information – names, mailing addresses, telephone numbers, and e-mail addresses – hacked.
The first to file suit: Alabama State Employees Credit Union, seeking to certify a national class of financial institutions allegedly affected by the breach, asserting claims for negligence and breach of contract. “Plaintiff has been swamped by customers and its members needing to close accounts due to Target’s data breach, resulting in Plaintiff exerting time, resources, and money to close out accounts and open new accounts with different account numbers,” according to the complaint. The credit union alleges the “cost in refunding loss deposits, time, and resources spent to remedy the situation of Plaintiff’s customers and members are untold.”
The credit union’s Alabama federal lawsuit was followed by similar complaints in Minnesota and Pennsylvania federal courts. Community Bank of Texas estimated the damages of the nation’s financial institutions to be in the “tens, if not hundreds, of millions of dollars as a result of Target’s failure to implement reasonable and industry-standard measures, Target’s otherwise willful and negligent conduct to protect its customers’ credit card and debit card information, and the resulting [s]ecurity [b]reach,” according to the bank’s complaint.
The suits allege that Target failed to maintain reasonable and industry-standard security measures, including credit card operating rules issued by Visa and MasterCard, for example, to the Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standards (PA-DSS). The company also retained magnetic stripe information and data from credit and debit cards issued by the banks more than 48 hours after a transaction, Pennsylvania-based First Choice Federal Credit Union alleges in its suit, in violation of Minnesota’s data breach law.
In addition to damages for common law negligence and breach of contract, two of the suits seek damages pursuant to Minnesota’s “Plastic Card Security Act,” which provides that a violator of the data breach statute who suffers a security breach must reimburse reasonable costs incurred by financial institutions as a result. Minnesota (where Target is based) is one of only a handful of states with such a law.
To read the complaint in Alabama State Employees Credit Union v. Target, click here.
To read the complaint in Community Bank of Texas v. Target, click here.
To read the complaint in First Choice Federal Credit Union v. Target, click here.
Why it matters: While a number of lawsuits brought by financial institutions have already been filed, many of which seek to certify a nationwide class of affected financial institutions, more suits are likely to follow. Plaintiff financial institutions in these sorts of suits typically face an uphill battle, given the contractual relationships between the financial institutions and the card brands, which allow for payment for expenses incurred as a result of a card breach. However, the banks here have the advantage of the Plastic Card Security Act, which could require Target to pay back the financial institutions if it is found to have failed to comply with credit card security standards.