Target Requests Bank Lawsuit DismissalRetailer Argues Breach-Related Case Has No Merit
See Also: Ransomware: The Look at Future Trends
The suit, among other things, seeks compensation from the retailer for certain breach-related expenses, such as reissuing affected payment cards and covering the cost of fraud. The breach exposed 40 million credit and debit card details and the personal information of 70 million customers.
In a request submitted Sept. 2 to the Minnesota District Court, Target asserts that the case should be thrown out because the retailer has no direct contractual business relationship with the financial institutions.
"The banks' ... claims hinge, among other things, on there being a never-before recognized 'special relationship' between merchants, like Target, and payment card issuers ...," the retailer says in its request to the court. "The banks, however ... do not even have a direct relationship with Target. ..."
Assessing Target's Latest Move
Other breached companies have used similar arguments to fight breach-related lawsuits filed by banks, stating "there was never a contractual obligation to make financial institutions whole," says Neal O'Farrell, executive director at the Identity Theft Council.
Nevertheless, O'Farrell argues, "I'm not sure this is a good route to go for a company trying to rebuild its reputation. This is not a breach that was beyond Target's reasonable control. Target was exposed for having incredibly lax security at almost every level in the organization. I don't think it wants this scab picked all over again."
Although O'Farrell believes that banks and credit unions should be compensated by the retailer for their costs tied to Target's breach, he says: "My worry is that Target might actually win its arguments because it has weak laws on its side."
Charles Zimmerman, lead counsel for the financial institution plaintiffs, tells Information Security Media Group: "I am sure Target's customers - who they refer to as guests - would be shocked to know that Target is of the belief that it owes them (and their chosen banks) no duty to protect their private credit and debit card information."