Bad news for data breach defendants: Banks’ case vs. Target to proceed

December 5, 2014

In a decision that could have important consequences for other corporations facing data breach cases, U.S. District Judge Paul Magnuson of St. Paul, Minnesota, ruled this week that financial institutions claiming to have spent billions of dollars replacing their customers’ compromised credit and debit cards may proceed with a negligence class action against Target.

Magnuson’s decision is a breakthrough for credit and debit card issuers, which often bear the brunt of costs arising from hacker attacks on retailers because issuers have to replace cards and respond to customers’ concerns. As I’ve previously reported, there’s not much precedent on merchants’ liability to the banks and credit unions that issue cards, and what there is previously seemed to favor Target’s argument that it owed no duty to card issuers.

Magnuson, however, found that the banks were foreseeable victims of Target’s allegedly negligent conduct – precedent that will be “extraordinarily favorable” to banks in other data breach litigation, according to Charles Zimmerman of Zimmerman Reed, who represents the class of card-issuing banks suing Target. “This isn’t an area where the laws are already broad and deep,” Zimmerman said.

Target’s lawyers at Ropes & Gray and Faegre Baker Daniels had contended in their motion to dismiss the banks’ class action that credit- and debit-card transactions are processed in three separate steps, with card issuers at one end of the chain and merchants at the other. Target had no contracts with card issuers, the company argued, and the banks’ data wasn’t stolen when hackers obtained information about 110 million Target shoppers last fall. The indirect relationship between issuers and merchants, according to Target, is too attenuated to saddle retailers with liability for the banks’ losses. Target’s brief urging Judge Magnuson to dismiss the case claimed no court has ever held that a third-party “special relationship” with card issuers imposes a common-law duty of care on merchants.

But Magnuson agreed with the banks’ argument that their case is about plain old negligence, not third-party harm. The card issuers, he ruled, had offered adequate allegations that they were the foreseeable victims of Target’s predictably risky actions.

Importantly, Judge Magnuson said that imposing a duty of care on Target “will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.” He said he had reached that conclusion “despite Target’s dire warnings about the burden of imposing such a duty.”

One factor in the judge’s consideration – and the basis of an additional count in the banks’ case against Target – is Minnesota’s Plastic Card Security Act, which imposes liability for card issuers’ costs on Minnesota businesses that have violated the law’s restrictions on retaining customer data. The judge said the law showed state legislators’ intent to broaden duties to safeguard credit and debit card data. He also refused to limit the scope of the Minnesota law to in-state transactions, as Target had argued.

Class counsel Zimmerman said that part of Magnuson’s decision will help card issuers in future data breach cases against Minnesota-based companies or those that store data in the state, but plaintiffs in cases against data-breach defendants outside of the state will have to show that Minnesota law somehow should apply to their claims.

The judge did dismiss the banks’ negligent misrepresentation claims, finding that they hadn’t shown they relied on Target’s allegedly misleading statements about data protection. Magnuson said the class could amend its complaint to fix the reliance problem but Zimmerman told me his clients haven’t yet decided if they will.

Target counsel Douglas Meal of Ropes & Gray didn’t respond to my email request for comment.

For more of my posts, please go to WestlawNext Practitioner Insights

Follow me on Twitter

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/