The aftermath of headline-grabbing data breaches at deep-pocketed retailers is almost always characterized by litigants of all sizes lining up to seek reparation for their legal injuries. These litigants can come in the form of disgruntled financial institutions, who demand compensation for breach-related expenses, or unhappy consumers who have suffered from theft of personal/ financial information and unauthorized charges on their accounts. Although consumer class-action lawsuits are a dime a dozen, they typically do not fare well in court, as courts generally conclude that their losses are covered in full by banks. On the other hand, financial institutions have a much easier time proving the costs associated with data breaches, such as card reissuance and reimbursement on fraudulent transactions. Follow along as we discuss the most recent data breach lawsuits including Target, Home Depot, and Wendy’s, and their effect on consumers, financial institutions, and retailers.
Target- A target for consumers and banks
Before discussing the outcomes of more recent lawsuits, such as Home Depot and Wendy’s, it is helpful to reflect on the consequences of the Target data breach. A final count revealed that 140 lawsuits were filed against Target in the wake of the massive data breach that compromised credit and debit card information for tens of millions of consumers in late 2013. With well over a hundred pending lawsuits at the time, the court system compiled them into three categories (consumers, banks and shareholders), all of which were overseen by U.S. District Judge Paul Magnuson.
The major claim in the consolidated consumer lawsuit was that the breach was avoidable, and occurred because Target did not take the necessary precautions to safeguard its systems. Target promptly filed a motion to dismiss in response to the lawsuit, arguing that the plaintiffs did not allege a present injury sufficient enough to warrant “case or controversy” standing under Article III of the Constitution. However, Magnuson denied the motion, explaining that the plaintiffs did indeed demonstrate actionable injuries, and ultimately granted class-action status to the lawsuit. As a result, the global retailer agreed to pay $10 million to settle the lawsuit by depositing the said amount into an interest bearing escrow account in order to pay each inflicted victim up to $10,000 in damages.
Unfortunately for Target, consumers were not the only affected parties. The bank lawsuit, which included Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain, pursued class-action status on behalf of all banks and credit unions affected. Target’s attempts at dismissing the lawsuit failed once again, and the final outcome was a settlement reaching over $20 million to help offset the costs incurred by financial institutions, including notification costs, card reissuing costs, fraudulent transaction reimbursement, increased customer service costs, and more.
Home Depot vs. Banks and Credit Unions
Just last month, U.S. District Judge Thomas W. Thrash, Jr. has given class-action status to a card issuer lawsuit against Home Depot over the 2014 card data breach affecting over 50 million consumers. Similar to the Target bank lawsuit, the issuers are seeking reimbursement for breach-related expenses, such as the costs of investigating fraud caused by the breach, refunding fraudulent charges, and reissuing cards to customers.
In his ruling rejecting Home Depot’s motion to dismiss, the presiding judge, Honorable Thomas W. Thrash, explained that dismissing the case would suggest that retailers are not responsible for ensuring their own cybersecurity, setting a highly unreasonable precedent for the future. Al Pascual, Head of Fraud and Security at Javelin Strategy and Research, also chimed in, rhetorically posing the question that “if this suit isn't successful, then what kind of incentive is there for other organizations to address known security vulnerabilities? Why not just leave the banks on the hook for the bulk of the costs, because the customers will eventually get over it, right?"
The banks involved in the lawsuit claimed negligence on the part of Home Depot, describing various opportunities that the retailer could have undertaken to shore up security and prevent the data breach, yet choose not to. From early warnings about vulnerabilities in Home Depot’s data security practices originating in 2008, to a specific request from the internal IT team entailing the need for encryption of customer data at the point of sale, the lawsuit suggests that Home Depot was given ample warning, and that the breach was not only foreseeable, but preventable.
Cybersecurity attorney and CISO at Viewpost, Chris Pierson, believes that the preponderance of claims made by cybersecurity firms and former employees could be extremely damaging for Home Depot, and translates into an easy win for issuers seeking reimbursement. However, at this time, he predicts that Home Depot is not likely to propose a settlement of the class-action lawsuit, and instead will pursue more legal action to disprove claims made by the card issuers.
Wendy’s Lawsuit Stopped in its Tracks
Although Wendy’s is still in the midst of dealing with its payment card data breach, it finally received some good news. A federal judge in Florida, US District Court Judge Paul G. Byron, rejected a consumer’s proposed class-action lawsuit related to fraudulent charges stemming from the data breach that affected over 1,025 locations. The plaintiff, Jonathan Torres of Orlando, used his debit card at a local Wendy’s on January 3rd, and criminals used his compromised card data to buy $200 worth of merchandise from Sports Authority, and $377.74 worth of goods from a Best Buy store.
The Florida judge determined that Torres’ claims of harm did not rise to the class-action level status, stating that “the plaintiff has not alleged that the two fraudulent charges went unreimbursed by his credit union and has experienced no additional actual harm since then”. This goes to show the threshold, or decision-making structure, required to escalate a data breach lawsuit to class-action status. In the case of Target and Home Depot, the plaintiffs were granted class-action status because they were able to prove actionable injuries, and demonstrate negligence on the part of the retailer. However, Torres was not able to show additional issues arising from the data breach, as his credit union reimbursed him the full amount of the fraudulent transaction, and as a result, his attempt at gaining class-action status was denied.
Find out how you can safeguard your institution’s assets and leverage Rippleshot’s award-winning technology to spot the anomalies signalling a looming card compromise.