Banks continue to file suit against retailers, hoping to shift the costs of data breaches, with some recent success.

What happened

In January 2016, hackers accessed Eddie Bauer’s point-of-sale register system and installed malicious software that infected every Eddie Bauer store in the United States and Canada. Using the malware, the hackers were able to steal credit and debit card data from the system and sell it to third parties, who made fraudulent transactions on those payment cards.

Earlier this year, Veridian Credit Union filed suit against the national retailer, alleging that it suffered significant property damage to the unique data included on the payment cards and financial losses in connection with covering its customers’ losses due to the data breach, such as reissuing credit and debit cards to its customers.

Veridian claimed that the data breach and its injury were the foreseeable results of Eddie Bauer’s inadequate data security measures, which the company knew were insufficient to protect against recognized threats. Eddie Bauer moved to dismiss.

After deciding that Washington law applied to the action, U.S. District Judge James L. Robart denied the motion, allowing the suit to move forward on Veridian’s negligence claim.

The court agreed with Eddie Bauer that the company did not owe a common-law duty to the financial institution because the parties had neither a contractual relationship nor a “special relationship” that would have created a duty.

However, the court did find a duty predicated upon the violation of Washington statute. RCW 19.255.020 was designed to address damage to financial institutions from the unauthorized cyber-intrusions into the account information of credit card and debit card holders.

Specifically, the statute states: “If a processor or business fails to take reasonable care to guard against unauthorized access to account information that is in the possession or under the control of the business or processor, and the failure is found to be the proximate cause of a breach, the processor or business is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards that are incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders that reside in the state of Washington as a consequence of the breach, even if the financial institution has not suffered a physical injury in connection with the breach.”

By imposing a duty on Eddie Bauer with respect to the negligence claim pursuant to the statute, the court would be protecting the class of persons RCW 19.255.020 seeks to protect (financial institutions that have incurred actual costs related to unauthorized access to credit and debit card holders’ information) and the same interests cited by Veridian in its lawsuit (the security of the card holders’ account information), the court explained.

“[T]he ‘reasonable care’ standard found in [the statute] defines the minimum standard of conduct under Washington law for processors or businesses whose alleged failure to protect from unauthorized access [to] credit and debit card account information that is in their possession causes damage to financial institutions,” Judge Robart said. “Accordingly, the court denies Eddie Bauer’s motion to dismiss Veridian’s negligence claim on the grounds that Eddie Bauer does not owe Veridian a duty as a matter of law.”

In addition to upholding the negligence claim, the court held that the financial institution could pursue claims under RCW 19.255.020 directly as well as Washington’s Consumer Protection Act.

Veridian’s allegations were sufficient to allege that Eddie Bauer engaged in an unfair or deceptive act or practice because “customers had no way of knowing that Eddie Bauer’s cyber-security measures were allegedly deficient or that Eddie Bauer had allegedly failed to implement appropriate software updates or other reasonable security measures,” the court said.

Nor could consumers have avoided the risk of data theft by paying for items with cash, as the defendant told the court, an argument Judge Robart called “disingenuous” given the ubiquitous use of credit and debit cards in all types of commerce.

On the heels of Veridian’s success, Independent Community Bankers of America became the most recent financial institution to file suit against Equifax in the wake of the record-setting data breach at the consumer credit reporting agency that has already yielded dozens of other lawsuits.

ICBA, a group representing more than 5,700 community banks, claimed that its member institutions have been left to deal with the direct consequences of Equifax’s “failures and active misfeasance,” such as canceling and replacing customers’ payment cards, covering fraudulent purchases, taking protective measures to reduce the risk of identity theft and loan and deposit account fraud, opening and closing affected accounts, lost interchange fees, and the costs of notifying customers.

“Despite the fact that the threat of a data breach had been a well-known risk to Equifax, as it acknowledged in its corporate filings, Equifax failed to take reasonable steps to adequately protect and affirmatively mishandled the only product in which it exclusively trades and is responsible for protecting: the ultra-sensitive, highly-sought-after personal and financial information of millions of individuals,” according to the Georgia federal court complaint.

Roughly 44 percent of the U.S. population had their personally identifiable information accessed in the Equifax breach, which impacted more than 145 million consumers.

“Equifax has a well-established and clear legal duty to act reasonably to protect the sensitive information that it collects and possesses from exposure to hackers and identity thieves,” ICBA alleged, adding that financial institutions reasonably expect that customers’ PII will be stored in a safe and confidential manner, using all reasonable safeguards and protections.

The defendant also failed to comply with Federal Trade Commission requirements to employ reasonable and appropriate measures to protect against unauthorized access to confidential consumer data, which constitutes an unfair act or practice prohibited by Section 5 of the FTC Act, the complaint added. Equifax added to these problems by further neglecting to follow the Payment Card Industry Data Security Standard, ICBA said.

In addition to the immediate harm and costs to the plaintiff’s member institutions, the Equifax data breach will have a long-term impact on banks, the complaint stated. Customers have frozen their credit, “making it impossible to determine their creditworthiness for current or potential credit or loans or to comply with regulatory requirements,” ICBA alleged.

Other losses include lost interest revenue and transaction fees due to reduced payment card usage, according to the complaint. The data security of the plaintiffs is also at risk, because hackers accessed Equifax’s back-end servers that are connected to the servers of financial institutions, ICBA said.

“While consumers are ultimately protected from most fraud loss arising from this incident, Plaintiffs and the Class are not, as they bear the primary responsibility for reimbursing customers for fraudulent charges or other transactions, fraudulently opened loans and deposit accounts, covering the costs of issuing new payment cards for customers to use and implementing new customer authentication procedures,” the complaint detailed. “Additionally, Plaintiffs and the Class will suffer financial losses whenever an identity is stolen and used to falsely establish credit or a deposit account, or access an existing customer’s account. This certainly impending risk will continue into the foreseeable future, and will require Plaintiffs and the Class to incur significant costs and expenses in order to reduce and mitigate it.”

To read the order in Veridian Credit Union v. Eddie Bauer LLC, click here.

To read the complaint in Independent Community Bankers of America v. Equifax, Inc., click here.

Why it matters

Financial institutions have seen recent success in their efforts to hold retailers liable for cybersecurity incidents. While data breaches have continued to increase in number and size, some banks have reached monetary settlements, such as the plaintiffs who agreed to a $27 million deal with Home Depot earlier this year. Veridian’s victory in Washington federal court allowing its suit to continue could also motivate other banks to shift the costs of a breach, while the ongoing fallout from the Equifax data breach could result in even more litigation against the consumer credit reporting agency.