Since we last covered the Target lawsuit, we saw a potential $19 million settlement brought to the table by Mastercard, which was defeated by their issuing banks in May. The settlement would have forced an end to the class-action litigation, which is now moving forward, in parallel with MasterCard’s attempt to renegotiate their settlement deal. Late last week, the banks involved in the lawsuit filed a request with the U.S. District Court of Minnesota to unseal some documents that until now, Target has been attempting to keep classified as confidential.
The lawsuit is still in the discovery phase, meaning parties from both sides can request documentation from one another to help build their respective cases. The banks are claiming “Target has taken the position that every document it has ever produced in this case is ‘Confidential’ or ‘Highly Confidential’ and should be concealed.”
Currently, the burden is sitting with the banks to make the case for de-designation on a document-by-document basis. Since this information will form the basis for the court’s decision on class certification (whether or not Target’s liability can be applied to all class members), this motion requests that the burden be moved to Target to prove that the documents fit the bill to be classified as confidential.
The documents in question are as follows:
Information Concerning Target’s Cybersecurity Team in 2013
Target’s Cybersecurity Procedures in 2012-2013
Warnings Target Received Prior to the Breach in 2013
Target’s Failures in 2013 that Caused the Breach
Target’s Post-Breach Investigation in 2013-2014
Information Regarding the Breach’s Impact
The banks claim that because of Target’s continued efforts to settle this lawsuit through outside agreements with parties such as MasterCard, the documents should be unsealed for class members to fairly evaluate the strength of their case.
The proposed MasterCard settlement from earlier this year asked all banks that opted in to release all of their breach-related claims against Target - including this lawsuit. This motion stated that, “To the extent that Target again attempts to engineer a card brand settlement that similarly aims to obtain for Target, outside of the Court’s supervision, a full release of its potential liabilities related to the Breach, including through this litigation, financial institutions should be permitted to evaluate what they are being asked to give up.”
In an interview with Bank Info Security, Ron Raether of the law firm Faruki Ireland & Cox said Target's attemps to keep the documents sealed could be valid.
"Good information security depends on denying hackers information about the system and controls. Something as basic as to the type and software version of a router can be of value to hackers. Making public such details could erode Target's existing security profile and put more consumers at risk."
A decision on this motion is expected to be made on August 12th before the Honorable Jeffrey J. Keyes, United States Magistrate Judge.
To learn more about how large merchant breaches uniquely affect credit unions and community banks, check out our Cost of a Data Breach infographic below.