2014 was a big year for data security breaches and 2015 may reveal even more complex and troubling problems. Individual consumers are either numb from the continual news feed detailing the various criminal scenarios placing their personal information at risk or perplexed to the point of inaction in deciding how to protect themselves.
The historical arc of data breach seemed predictable until 2014: credit card data stolen from retailer, fraud reported to credit card company, financial institution pays fraudulent charges, and then financial institution continues to incur administrative costs for the issuance and tracking of new cards.
Not so anymore. In 2014, consumers and financial institutions initiated class action litigation against Target in Minnesota federal court following its 2013 mea culpa that approximately 110 million of its customers’ credit- and debit-card information had been stolen. The consumers and financial institutions alleged common law negligence and statutory claims under Minnesota’s Plastic Security Card Act (“MPSCA”).
Target moved to dismiss the financial institutions’ claims, expecting the Court to preserve the historical balance that financial institutions could not recover losses due to a retailer’s data breach. Yet something remarkable happened and the claims survived, perhaps becoming a wedge that shifts future burdens to retailers from financial institutions across the United States.
The Court said that in this case Minnesota law imposes a duty on a retailer where a foreseeable risk of injury exists to a foreseeable plaintiff. While third-party hackers caused the harm, Target played a role if, as alleged, it purposely disabled a security feature which would have prevented the breach. The Court reasoned that this duty would further Minnesota’s legislative intent for companies to protect consumers’ information as required by the MPCSA.
The Court also found that Target owed a duty of disclosure to the financial institutions regarding alleged material weaknesses in its data security systems and procedures, saying that it was plausible that Target’s knowledge regarding its ability to repel hackers coupled with its partial public disclosure of its data security practices could establish a duty. Even so, this claim was dismissed due to a legal technicality that the financial institutions failed to allege that they relied on Target’s public data security disclosures.
Finally, the Court held that because Target conducts business in Minnesota, the MPCSA claims could proceed.
A copy of the opinion, In Re Target Corporation Customer Data Security Breach Litigation, MDL No, 14-2522 (PAM/JJK), United States District Court, District of Minnesota is attached here. This case is a long way from resolution, but the denial of Target's motion to dismiss creates a potential recovery right for financial institutions, particularly for those with clients that operate in states having consumer data protection laws similar to the MPCSA.
A data breach is an unpredictable, complex and multifaceted problem for consumers, retailers, and financial institutions. Establishing, maintaining, and continually updating a data breach response plan can help identify risks and mitigate damages. For additional information, or if you need assistance with your plan, Stites & Harbison’s Privacy & Data Security Group can help.