Target: Retailer Owes No Duty to Banks in Data Breach
A Target Corp. lawyer told a judge that the company had no legal obligation to banks that claim to have lost tens of millions of dollars after a hack last year on the retailer’s payment processing systems.
Target didn’t have a legal duty to the banks because card payments are processed through third-party intermediaries, Douglas Meal, the retailer’s lawyer, told U.S. District Judge Paul Magnuson in St. Paul, Minnesota Friday. Target isn’t liable to the lenders, he said today in urging the judge to dismiss the case.
The banks “are claiming that Target had a duty to protect them from that criminal activity,” Meal said. “The only way that would be true is if there is a special relationship between the parties,” and there is none.
Credit card account information for millions of Target customers was stolen by hackers who exploited a flaw in the company’s computerized climate-control system, according an August court filing by the lenders. In the lawsuit, the banks says they and other credit card issuers lost tens of millions of dollars from having to issue new cards, monitor accounts for fraud and reimburse victimized customers.
Company Data Breach Now Costs $3.5M on Average: Ponemon Study
The banks seek to hold Minneapolis-based Target liable for negligent system security. The lenders, suing on behalf of a proposed group that includes every card-issuing financial institution whose customers made purchases last year, say the company wants to duck blame for failing to safeguard data.
Friday’s argument came a week before Black Friday, the unofficial start of the holiday shopping season in the U.S. and a week after the hardware emporium Home Depot Inc. disclosed that 53 million e-mail addresses were taken by hackers in a breach it reported in September.
High-end retailer Neiman Marcus Group Ltd. and Sears Holdings Corp.’s discount chain Kmart have also been struck by hackers. Staples Inc., the world’s biggest office-supply chain, last month said it too may have been attacked. As of Nov. 19, it couldn’t fully assess the damage, according to a filing with the U.S. Securities and Exchange Commission.
In court Friday, the argument focused on whether Target owed a duty to the banks. Magnuson interrupted Meal several times to ask if there still must be a “special relationship” between Target and the lenders for the case to proceed.
The banks’ lawyer, Karl Cambronne, told Magnuson that the Minnesota Plastic Card Security Act requires Target to guard against a possible breach. The law prohibits the retailer from retaining some data after a sale, Cambronne said.
No Consensus Among States Over Data Breach Laws
“We reject the notion that this case is all about the obvious, that is, the bad guys hacked into the system,” Cambronne said. “Twice the Visa and Mastercard system had warned Target this malware is out there and you are not protected from it.”
Target’s lawyer said the data theft happened at the point of sale and that the plastic card law doesn’t apply.
Magnuson didn’t rule.
Target has said the stolen data included addresses and phone numbers of as many as 110 million people. The company, which this month hired a new chief risk and compliance officer, is scheduled to argue Dec. 11 for dismissal of claims in a separate suit by consumers.
The five banks leading the suit are Roseburg, Oregon-based Umpqua Bank; Whitman, Massachusetts-based Mutual Bank; CSE Federal Credit Union of Lake Charles, Louisiana; St. Francis, Minnesota-based Village Bank; and First Federal Savings of Lorain, in Lorain, Ohio.
The case is In re Target Corporation Customer Data Security Breach Litigation, 14-md-2522, U.S. District Court, District of Minnesota (St. Paul).