Measures Of Income Inequality And Where It is Worse
Facebook, WhatsApp, and Fitness Apps. Data Collection on Steroids?

Consequences From The Target Data Breach

Target Bullseye logo After executives at Target announced in December a data breach that affected the retailer and its customers, there have been plenty of consequences. ABC News reported:

"The nation's second largest discounter said Wednesday that its profit in the fourth quarter fell 46 percent on a revenue decline of 5.3 percent as the breach scared off customers worried about the security of their private data... Target's business has been affected by the breach in a number of ways. During the quarter, the number of transactions fell 5.5 percent... The company also has faced costs related to the breach. Target said it can't yet estimate how much the data breach will cost it in total. But in the fourth quarter, it said the breach resulted in $17 million of net expenses, with $61 million of total expenses partially offset by the recognition of a $44 million insurance receivable."

Typically, after a data breach affected consumers require replacement bank cards (e.g., credit and debit). Banks incur costs to issue replacement cards, to close affected accounts, and open replacement accounts. Consumers incur costs from stolen money, the lost time and aggravation to submitting complaints for reimbursement, and to re-establish online payment account settings.

ABC News also reported:

"Target said expenses may include payments to card networks to cover losses and expenses for reissuing cards, lawsuits, government investigations and enforcement proceedings..."

May? I would say definitely. Why? The Huffington Post reported:

"Costs related to the holiday data theft has now exceeded $200 million for financial institutions, according to data collected by the Consumer Bankers Association and the Credit Union National Association. The two trade associations said Tuesday that 21.8 million of the 40 million compromised credit and debit cards have been replaced."

And, these costs will surely rise since the damage is still ongoing. Target will also incur legal costs to defend itself. The Minneapolis Star Tribune reported:

"A group of First Farmers & Merchants banks in southern Minnesota has sued Target Corp. over alleged damages from the retailer’s data breach late last year. While a number of financial institutions from around the country have sued the company since news of the data heist broke, the First Farmer & Merchants lawsuit is believed to be the first by a financial institution on Target’s home turf in Minnesota... The banks are First Farmers & Merchants National Bank in Luverne, First Farmers & Merchants National Bank in Fairmont, First Farmers & Merchants State Bank in Brownsdale, First Farmers & Merchants State Bank of Grand Meadow and First Farmers & Merchants Bank in Cannon Falls."

According to the Chicago Tribune:

"A House of Representatives committee with broad investigative jurisdiction has turned up the heat on Target Corp, demanding that the No. 3 U.S. retailer turn over internal documents and messages describing how and when it learned of a recent massive consumer data breach... The committee set a deadline of March 10 for Target to turn over the materials... the House committee also requested any documents generated between November 1 and December 19 referring to discussions about notifying others about the data breach, and any documents generated since December 12 in which any federal agency advised the company to avoid providing information to Congress."

Why Congress started this investigation:

"... was prompted, at least in part, after committee officials felt dissatisfied with responses given by Isaac Reyes, an official with Target's government relations department, during a January 30 conference call about the data breach."

About breach costs, the Chicago Tribune reported:

"... several analysts expect Target to slash its share buybacks as it copes with costs tied to the breach, which some estimate will cost the company $500 million to $1.1 billion."

When companies fail to protect consumers' sensitive personal and payment information, there are lots of consequences. There should be lots of consequences. I'll bet that Target executives did not expect the consequences they now face.

My advice to executives at corporations, banks, and mobile app developers:

If you can't protect it, don't collect it.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

One of the new developments that lawyers and others will need to follow is that banks, savings&loans, and other financial intermediaries (Intermediaries), which issue credit and debit cards, seem to have had enough of having to absorb the expenses of replacing replacing debit and credit cards and closing compromised accounts and issuing new accounts and may sue Target to be made whole for those expenses.

The viability of Target's defense against Intermediaries' lawsuits and other lawsuits sounding in negligence and other theories will most likely turn on whether Target’s measures to protect its customers' accounts were at least reasonable given the state of the art for protecting those accounts and the foreseeable risks that those accounts would be compromised. In other words, given the state of the art for protecting its customers' account and the foreseeable risks of those accounts being compromised, did Target satisfy its duty of care?

Now, that may not be the only standard governing Target's liability for the data breach, as there may be other statutory/regulatory laws that could impose liability. But where Target has failed to meet its duty of care under the negligence standard, it is unlikely to be able to successfully defend against liability under other law, which are likely to have an even higher, not lower, standard that Target must meet to avoid liability.

And Target's legal troubles seem to be pervasive, as several other large retailers also experienced data breaches using the same techniques and perhaps by the same criminals. Perhaps, it is time to return to using cash and checks, with retailers not maintaining any information on us beyond what is necessary for them to get paid, or, as Mr. Jenkins put it, supra, "If you can't protect it, don't collect it."

And experts that I know say that question in the industry isn't whether you've been breached but whether you know that you've been breach. Which is to say that no one--not data brokers, not retailers, not Google, not Facebook--can protect our data, so no one should be collecting any more data than is necessary to complete financial transaction, and once the transaction is completed, all data should be purged, except for Intermediaries, which have to maintain depository, brokerage, and other financial accounts.

As for what customers can do to protect themselves, Mr. Jenkins has given good advice in past columns--I mean in past blogs.

And what of warranties, you can simply retain your receipts. Personally, I scan all of my receipts at least for important purchases and file them both in a computer file and, here I go again betraying my age, in an actual file cabinet.

The comments to this entry are closed.