Target’s bid to ditch $18 bln case by credit and debit card issuers

September 4, 2014

When hackers from Eastern Europe stole financial information from more than 100 million Target customers last fall, the data breach caused a huge headache for banks that issued the compromised credit and debit cards. In the midst of the holiday shopping season, card issuers had to notify clients about the breach, cancel accounts that had been hacked, reissue cards and reimburse customers for fraudulent transactions. The issuing banks have estimated that each card they replaced cost them between $15 and $50. In all, they have alleged in a class-action complaint against Target, their damages from the data breach fiasco may add up to more than $18 billion.

Target says those losses aren’t its responsibility. In a brief filed Tuesday in federal court in St. Paul, Minnesota, the retailer’s lawyers at Ropes & Gray and Faegre Baker Daniels argue that Target has no legal duty to the banks that were forced to replace hacked credit and debit cards because it has no direct relationship with the issuers and owes them no special care.

Every retail business and payment card issuer ought to be paying attention to Target’s arguments. There have been only a handful of rulings in the past few years on merchants’ liability to payment card issuers, and they’ve all been in small actions by individual banks – nothing remotely approaching the scale of the Target class action. All but one of the previous decisions (at least according to Target’s brief) have gone against payment card issuers, concluding that merchants don’t have a duty to credit card issuers. But if U.S. District Judge Paul Magnuson, who’s overseeing the consolidated Target data breach litigation, eventually disagrees and finds that bank issuers can sue retailers for the cost of dealing with data breaches, that will drastically increase merchants’ exposure in data breach litigation.

The heart of Target’s argument is that retailers are two steps removed from payment card issuers in the processing of credit and debit card transactions. When a customer uses a card to make a purchase, according to Target, the retailer obtains authorization not from the bank that issued the card but from a different bank, a payment processor with which the retailer has a contract. The payment processor, in turn, has a contract with a card brand such as Visa or MasterCard. Only after transactions have been routed through the payment processor and the card brand do they reach issuing banks, according to Target. And those banks, Target contends, have their own contracts with Visa and MasterCard – which, according to Target, govern how issuing banks are to be compensated for losses associated with data breaches.

The banks argue that despite the multistep payment procedure, under common law and specific Minnesota legislation on credit card transactions, they were foreseeable victims of Target’s alleged negligence in safeguarding customer financial data. (Target’s apparently deficient data protection program and bumbling response to initial warnings about the sweeping hack are detailed in a U.S. Senate Commerce Committee report on the breach, issued in March.) Because payment card issuers entrusted Target with their customers’ sensitive financial information, the banks claim, card issuers had a special relationship with the retailer that imposes liability for negligence on Target.

“Target knew, or should have known, of the risks inherent in collecting and storing the personal and financial information of shoppers using credit and debit cards,” the banks’ complaint said. “Target’s own conduct also created a foreseeable risk of harm” to issuing banks.

Target’s new brief counters that under Minnesota law – and the laws of just about every other jurisdiction that has considered retailers’ duties to payment card issuers – it owed the banks no such duty. The issuing banks never entrusted their information to Target, the retailer said, and their data wasn’t stolen. They didn’t have contracts with Target, according to the brief, and aren’t considered victims under Minnesota’s credit card laws. In other words, Target contends, the banks are trying to pin down the retailer on the basis of an attenuated relationship that does not impose liability.

“The banks’ negligence and negligent misrepresentation claims hinge, among other things, on there being a never-before recognized ‘special relationship’ between merchants, like Target, and payment card issuers, like the banks, that justifies creation and imposition of a novel common-law duty of care,” Target’s brief said. “The banks, however, are sophisticated parties that do not even have a direct relationship with Target, much less a special relationship that might suffice to create such a duty.”

As precedent, Target cited (among others) a pair of 2012 rulings, BancFirst v. Dixie Restaurants from Oklahoma federal court and Digital Federal Credit Union v. Hannaford Brothers from Maine. In both of those decisions, trial court judges dismissed data-breach negligence claims by payment card issuers, concluding that merchants had no duty to them. Only one opinion, a 2005 Pennsylvania decision in Sovereign Bank v. BJ’s Wholesale Club, has gone the other way, according to Target, and in that case the judge subsequently dismissed the bank’s claim for other reasons.

Lead counsel for the banks suing Target, Charles Zimmerman of Zimmerman Reed, agreed that there’s not much case law on this question (which is why the Target dismissal motion is so momentous). But he said that when Target invited scores of millions of buyers to use credit and debit cards to shop at Target, it extended its duty to protect customer information to the banks that issued the cards. “The duty to act reasonably and responsibly with that data, I believe, extends under both the common law and the Minnesota statute,” he said.

Target counsel Douglas Meal of Ropes & Gray didn’t return my phone call.

For more of my posts, please go to WestlawNext Practitioner Insights

Follow me on Twitter

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/