At last count, 140 lawsuits were filed against Target in the wake of the massive data breach that exposed credit and debit card payment information for tens of millions of consumers in late 2013. If your head is spinning at the thought of how this will all be handled and what it means for payment security, you’re not alone. Follow along as we take a deep dive.
UPDATE: Following the class-action lawsuits originally filed against Target after the 2013 massive data breach, the retailer has agreed to pay $10 million in damages to settle its lawsuit. With the U.S. federal court’s approval, Target will deposit the said amount into an interest bearing escrow account in order to pay each affected victim up to $10,000 in damages. In the proposal, Target will have to create and implement additional data security measures such as maintaining a written information security program and continuing to utilize the company’s first Chief Information Security Officer (CISO).
UPDATE #2: Target is approaching a settlement with MasterCard. The current settlement is nearing the $20 million mark, to help offset the costs that financial institutions incurred due to the data breach. These costs include the reissuance of credit and debit cards exposed in the data breach, as well as some of the fraudulent transactions that resulted from the exposure of the retailer’s customers’ payment information.
With well over a hundred pending lawsuits, the court system compiled them into three categories (consumers, banks and shareholders), to be overseen by U.S. District Judge Paul Magnuson
The Consumer Lawsuit
The claim in the consumer lawsuit is that the breach was avoidable and occurred because Target did not take proper precautions in protecting its computer systems. The plaintiffs are seeking reparation for injuries including:
Unauthorized charges on their debit and credit accounts
The theft of their personal and financial information
Costs associated with the loss of use of their associated accounts, including penalties and fees for late and missed payments, as well as damages to their credit scores as a result of aforementioned missing payments
Costs associated with loss of productivity from taking the time to deal with and address the adverse effects of the data breach
Reimbursement for any purchases made during the data breach, which likely would have not happened had Target disclosed their knowledge of the breach when it first occurred
The cost of continued risk of their personal and financial data, which is still in Target’s possession
Target attempted to get the lawsuit thrown out by claiming that the plaintiffs failed to show enough injury to proceed, but Magnuson found that the plaintiffs did show sufficient injuries, “including unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.
“Target ignores much of what is pled, instead contending that because some Plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts, Plaintiffs have insufficiently alleged injury. These arguments gloss over the actual allegations made and set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage,” the judge said.
The Bank Lawsuit
The plaintiffs in the bank lawsuit include Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain. They are pursuing class-action status, on behalf of all banks and credit unions whose customers transacted via debit or credit card at Target during the time of the breach.
The claim in the bank lawsuit is that Target's actions and inactions - disabling certain security features and failing to heed the warning signs as the hackers' attack began - caused foreseeable harm to plaintiffs. The banks are seeking to recover damages incurred by the data breach, including:
Credit and debit card reissuing costs
Fraudulent transaction reimbursement
Costs incurred from additional monitoring of customer accounts
Increased customer service costs
Losses stemming from decreased use of customer cards during the busiest shopping season of the entire year
Target also tried to get this lawsuit dismissed by claiming that they didn’t have a close enough relationship with the plaintiffs to be held directly liable due to negligence. Judge Magnuson also struck this down and stated, “At this preliminary stage of the litigation, plaintiffs have plausibly (pleaded) a general negligence case. Although the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur.”
What Happens Next
Both of these lawsuits will move on to the discovery phase of litigation, where each party will continue to seek and gather evidence from the opposing side to help build their respective cases. Target will continue to attempt to get the cases dismissed, but if unsuccessful, class-action status could be achieved by the financial institutions and the consumers before the cases go to trial in 2016.
What Does it Mean For Retailers Going Forward
The bank lawsuit continuing to move forward is a huge game-changer in the confusing web of who is ultimately responsible for the financial burden after a data breach. Traditionally, banks have been left to absorb the vast majority of the costs of reissuing cards and refunding fraudulent charges - which turned out to be a crippling $240 million in the case of Target. This ruling could ease the loss felt by banks if and when a merchant can be proven negligent in how they safeguarded sensitive customer data.
How to Get Ahead of Data Breaches
Rippleshot’s cutting-edge technology and rapidly growing data set make our solution uniquely powerful and comprehensive. When used aggressively, issuers can stop half of all breach-related fraud spends, and retailers can stop their breach months faster, when only a fraction of the cards have been stolen. Sign up below to receive a demo of our software and see for yourself what it can do.