Banks, Target Argue Over Breach SuitRetailer's Motion to Dismiss Draws Passionate Reply
Target Corp. and several banking institutions continue to argue back and forth over the retailer's request to have the Minnesota District Court dismiss a consolidated class action lawsuit the institutions filed following the retailer's December 2013 data breach.
See Also: DevOps - Security's Big Opportunity
The retailer on Sept. 2 requested that the court dismiss the class action lawsuit, asserting the case should be thrown out because the retailer has no direct contractual business relationship with the financial institutions (see: Target Requests Bank Lawsuit Dismissal).
"The banks' ... claims hinge, among other things, on there being a never-before recognized 'special relationship' between merchants, like Target, and payment card issuers ...," the retailer says in its request to the court. "The banks, however ... do not even have a direct relationship with Target. ..."
The banks' lawsuit, among other things, seeks compensation from the retailer for certain breach-related expenses, such as reissuing affected payment cards and covering the cost of fraud. The breach exposed 40 million credit and debit card details and the personal information of 70 million customers.
Banks' Oppose Motion to Dismiss
On Oct. 1, the banking institutions involved in the lawsuit - including Umpqua Bank, Mutual Bank and CSE Federal Credit Union, among others - shot back against Target's motion to dismiss, arguing the breach would not have happened if it were not for Target's defective data security practices.
"Target's failures that enabled the breach are a matter of public record, having been aired in hearings before a United States Senate committee and analyzed in reports of investigative journalists and technology experts," the banks said.
The banks argue that Target does have a duty to safeguard card data. "Numerous courts in other data breach cases, applying general negligence principles, have recognized that businesses that undertake card transactions have a duty to card-issuing banks ... to responsibly secure card data," the banks argued.
Target, in its response to the plaintiffs' latest arguments, continues to claim the retailer has no direct contractual business relationship with the banks.
"The banks' resort to the general negligence standard only underscores their failure, and inability, to plead a special relationship," Target argues.
Assessing Motion to Dismiss
Target's recent rebuttal against the banks may be a signal that the retailer is gaining confidence in light of the "breach fatigue" in the aftermath of subsequent major breaches, including those that hit Home Depot and JPMorgan Chase, says Neal O'Farrell, executive director at the Identity Theft Council.
"I suspect they're emboldened by what we all now seem to recognize as breach fatigue among consumers, a type of creeping normality where consumers just accept what they see as inevitable and don't get mad anymore," he says.
If Target succeeds in having the class action dismissed, it would set a dangerous precedent, O'Farrell argues. "It would give a cushion, a safety net, if they could push significant breach costs to the banks," he says. "That gives retailers like Target less incentive to get security right to the best of their ability."
Nevertheless, O'Farrell argues, "I'm not sure this is a good route to go for a company trying to rebuild its reputation. This is not a breach that was beyond Target's reasonable control. Target was exposed for having incredibly lax security at almost every level in the organization. I don't think it wants this scab picked all over again."
Although O'Farrell believes that banks and credit unions should be compensated by the retailer for their costs tied to Target's breach, he says: "My worry is that Target might actually win its arguments because it has weak laws on its side."
Charles Zimmerman, lead counsel for the financial institution plaintiffs, recently told Information Security Media Group: "I am sure Target's customers - who they refer to as guests - would be shocked to know that Target is of the belief that it owes them (and their chosen banks) no duty to protect their private credit and debit card information."