An Early Christmas Present for Consumers? Court Rules that Retailers Can Be Liable to Banks Arising from Data Breaches.

by Privacy & Data Security Members Karin McGinnis & Robert Sumner

Cyber-Monday sales weren’t the only good thing that happened for consumers this week.  Later in the week a federal judge in Minnesota thwarted Target’s attempt to dismiss a lawsuit brought by banks and credit unions arising out of the massive data breach last year.  Although the breach and access to the credit card information of some 40 million consumers resulted from hackers obtaining the password of a Target vendor who was accessing an unrelated subsystem, the banks and credit unions claimed that Target was liable to them because it contributed to the data breach through its inadequate data security procedures.  Target pushed back, claiming that it had no duty to the financial institutions.  The court disagreed.  Contributing to the court’s decision was a Minnesota state law regarding corporate data security obligations.

It is important to remember that this is just the first skirmish in this case.  The financial institutions still have to prove that Target failed to engage in adequate security procedures and that Target’s failures were a proximate cause of the harm to the institutions.  But like the New Jersey federal court’s ruling earlier this year in FTC v. Wyndham Worldwide Corp[1] , holding  that the Federal Trade Commission can pursue a claim that a company’s failure to have adequate data security measures is an unfair trade practice under the FTC Act, the Minnesota court’s ruling in the Target case will ultimately benefit consumers.  Faced with potential liability to not just consumers, but also financial institutions with deeper pockets to fund litigation, retailers have yet another reason to implement, test and continuously update security measures and procedures to protect their consumers’ information.

[1] No. 13-1887, 2014 U.S. Dist. LEXIS 47622 (D.N.J. Apr. 7, 2014).

Leave a Reply

Your email address will not be published. Required fields are marked *