Paul A Magnuson, a U.S. District Court Judge in Minnesota, ruled on December 2, 2014 that the class-action lawsuit can proceed against Target Corporation for its 2013 data breach.
Target, one of the largest retailers in the country, is headquartered in Minnesota. During its 2013 data breach, hackers stole the credit- and debit-card information for about 110 million shoppers. Lawsuits by both consumers and banks followed, and they were consolidated into the litigation Judge Magnuson ruled upon. Judge Magnuson heard arguments about four complaintss:
"Plaintiffs’ Complaint consists of four claims against Target. Count One contends that Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data. Count Two asserts that Target violated Minnesota’s Plastic Security Card Act, and Count Three alleges that this violation constitutes negligence per se. Count Four claims that Target’s failure to inform Plaintiffs of its insufficient security constitutes a negligent misrepresentation by omission."
Target sought dismissal of all four claims arguing that the plaintiffs did not prove their case. Judge Magnuson ruled in favor of the plaintiffs on three of the four counts:
"Plaintiffs have plausibly pled a claim for negligence, a violation of the PCSA, and negligence per se. Plaintiffs failed to plead reliance, however, and therefore their negligent-misrepresentation claim must be dismissed without prejudice.
This meant that the lawsuit can continue based upon the allegations of negligent data security, violation of Minnesota's Plastic Security Card Act (PSCA), that Target's actions were negligent. The judge agreed with the plaintiff's argument that:
"Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur. Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case: Plaintiffs allege that Target’s “own conduct create[d] a foreseeable risk of injury to a foreseeable plaintiff."
"... the attackers were able to access the POS network and exfiltrate payment card data for 40 million victims via an HVAC contractor’s credentials... Also, the big-box giant admitted that an early-warning system from FireEye that was in place was ignored despite multiple alarms..."
While most people believe the HVAC vendor's credentials story, I am not so sure it was only an HVAC vendor's credentials. Anyway, this court ruling has huge implications for both banks and retailers. According to InfoSecurity:
"Industry watchers have long expected Target and other retailers to eventually find themselves liable for stolen identities and bank fraud stemming from the high-profile point-of-sale (POS) breaches that have become a sad norm on the cyber-incident front. Now, a Minnesota court has paved the way for a series of lawsuits by banks looking to recover their losses, which they say range into the billions for the last year alone."
Read the Minnesota U.S.District Court ruling (Adobe PDF).
One thing is certain: we will hear more about both this lawsuit and the squabble between retailers, banks, and credit unions about who should pay for breach-related costs when replacement debit/credit cards and accounts must be issued to breach victims.