Last week, a Minnesota federal court ruled that a retailer (here, Target) may owe its customers' banks a duty to keep the customers' financial information secure. The decision was simply a refusal to dismiss the case, rather than an actual decision on the merits. However, the decision is very significant for all retailers or other businesses which accept credit- and debit-cards. It opens the door to future negligence claims against such businesses, when these businesses previously may have thought they had little exposure to such a claim.
Background on Target Breach
Over a period of three weeks in November and December of 2013, computer hackers stole credit- and debit-card information from approximately 110 million Target customers. After Target announced the breach, several banks brought suit against the retailer for the cost of re-issuing credit and debit cards to its customers and other breach-related expenses (which totaled $172 million). The banks alleged that Target was negligent—in that it failed to maintain appropriate data security measures, which in turn created a foreseeable risk of the breach that occurred. In response, Target moved to dismiss the banks’ complaint, claiming that it had no contractual or special relationship with the banks, and therefore had no duty to the banks to safeguard customer data.
Judge Refuses Motion to Dismiss
On December 2, Judge Magnuson rejected Target’s argument and held that Target's neglect contributed to the harm. The judge upheld the banks’ negligence claim and confirmed that the banks adequately pled that Target owed them a duty of care. In rejecting Target’s lack of duty argument, the court stated that “it is clear the institutional parties to credit- and debit-card transactions have voluntarily assumed similar duties toward one another.”
Importantly, the court also relied on Minnesota’s Plastic Card Security Act (Minn. Stat. § 325E.64) to find that the banks plausibly alleged a duty on Target’s part. The act requires companies to reimburse financial institutions for data breach expenses that result from a company’s failure to properly safeguard customer data. According to Judge Magnuson, “imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.” The judge found it significant that “the duty to safeguard [customer card] data in Minnesota has received legislative endorsement.”
Interestingly, most states do not yet have laws on the books that are as favorable to banks as Minnesota’s Plastic Card Security Act. It is unclear whether other jurisdictions would impose a similar duty of care on retailers in the absence of such a clear mandate from the legislature.
Since Target’s motion to dismiss was denied, the case will now continue on the banks’ negligence claims.
The case serves as a wake-up call to all businesses which accept credit- or debit-cards. Such businesses should review their security procedures and examine their potential liability for a "worst-case" scenario. Such a review would include examining possible liability under the PCI Data Security Standard and other applicable laws (e.g., state negligence laws) and whether the business has sufficient insurance (e.g., cybersecurity insurance) to shield the business.