An order rendered two weeks ago by a United States District Court Judge for the district of Minnesota marked an important turning point for the litigation brought against Target by financial institutions in connection with the massive consumer data breach that occurred a year ago. The decision is also noteworthy in that it is one of the first to clarify the duty of care owed by organizations towards card issuing financial institutions to secure the data of their customers. Target filed a motion to dismiss the banks’ claims on the grounds that their arguments were insufficient. The court, disagreeing, denied the retail chain giant Target’s motion to dismiss and ordered that the banks’ lawsuit against Target for its data breach can continue. The clarity is much needed. Data breaches frequently afflict retailers of all sizes and hackers quickly learn to overcome security systems more sophisticated than their predecessors. Other notable recent cyber security breaches include an attack on Home Depot, resulting in the theft of consumer and credit card holder data and, more recently a cyber-attack on Sony pictures involving the theft of personal information of over 40,000 current and former employees. An estimated 1000 American merchants are victims of data breaches similar to that experienced by Target.
The Target breach, however, was particularly agonising. In December of last year, as the judgment summarizes, Target announced that over a period of more than three weeks during the busy Christmas holiday shopping season, computer hackers had stolen credit and debit card information of approximately 110 million of Target’s customers. The lawsuits that followed these announcements have been consolidated into one multi-district litigation with separate claims brought by consumers and financial institutions. Thus this most recent order relating to claims brought by financial institutions, is part of a much bigger and complex proceeding, which will surely take years to wind its way through the courts. Though, on a separate note, last year Minnesota implemented new rules of procedure to hasten the delay and reduce the cost of civil proceedings.
In the past, the financial institutions that issued the credit or debit cards that were affected by a security breach at a retailer had to replace the stolen cards at their own cost. The banks allege that there are significant expenses associated with this; it cost them approximately $400 million USD to replace the cards from the Target breach. This court order confirmed that banks can sue merchants to recover these card replacement costs provided the evidence sufficiently shows that a retailer was negligent in securing its systems.
The financial institutions pursuing Target are those who issued credit cards to customers who had their personal information stolen. The banks allege four claims against Target:
- Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data;
- Target violated Minnesota’s Plastic Security Card Act;
- This violation constituted negligence and;
- Target’s failure to inform Plaintiff’s of its insufficient security constitutes a negligent misrepresentation by omission.
The banks also make allegations that Target violated a state law by retaining cardholder data for longer than permitted. Target is also accused of having ignored serious warnings about its security. At the time of the breach Target was using a breach detection technology. It is alleged that Target disabled certain security features and failed to heed the alarms sounded by the technology. Only once hackers had suceeded in stealing the credit and debit information of 40 millions customers and personal information of 110 customers, did Target take significant action.
The fault of negligence has 4 elements: duty, breach, causation and injury. The grounds on which Target sought to have the motion dismissed by arguing that it did not owe a general duty of reasonable care to the card issuing banks. US case law provides that a “defendant owes a duty to protect a plaintiff when an action by someone other than the defendant creates a foreseeable risk of harm to the plaintiff and the defendant and plaintiff stand in a special relationship”. Target argued that there was no special relationship between the card issuer banks and itself. The banks argued that Target is liable not because of a special relationship it has with the banks or a resulting third party harm but because of straightforward negligence. Specifically the banks argued that Target, through its own conduct, failed to maintain appropriate data security measures and the financial institutions were foreseeable victims of the harm.
Did Target owe the banks a duty of care? The factors considered were (1) the foreseeability of harm, (2) the connection between the defendant’s conduct and the injury suffered, (3) the moral blame attached to the defendant’s conduct, (4) the policy of preventing future harm, and (5) the burden to the defendant and the community of imposing a duty to exercise care with resulting liability for breach. The court decided that there was a duty of care to which the retailer could be expected to follow, and held liable for in the event that it fails at such duty. While this order was simply at the preliminary phase and the liability of Target for negligence remains to be evaluated on the merits, it is a first step towards validating the idea that the duty of care for protection of personal data is not limited to the person whom the data is about.
There are risks associated with big data and cybersecurity that increase with the online payment process. As companies have more and more data in their control, data governance and security policies are becoming a critical part of company compliance. A year in review of the major Canadian and US legal issues shows that cybersecurity and data management were hot button topics. We can predict that 2015 will see data governance including cybersecurity and privacy as major compliance themes. This ruling will have major implications for the data breaches that, unfortunately, are likely to occur in the coming year.
Data theft and unauthorized access of personal information of Canadian consumers is a growing problem. The consequences for organizations subject to the breach can be serious, as we have seen with Target. Canadian organizations and organizations doing business in Canada have to comply with an increasing web of regulations such a PIPEDA and now, CASL. There is now a greater focus than ever on the legal concerns regarding the leveraging of big data. One popular approach that companies have taken is the implementation of data governance frameworks and policies. A due diligence and best practice approach with consistent and proper implementation may come to be a retailer’s best defense against future claims of negligence in the event of a data breach.