Bank Files Unique Suit Against TargetUmpqua Bank Alleges Violations of Minnesota Statute
Umpqua Holdings Corp. is the latest U.S. banking institution to file a class action lawsuit against Target Corp., alleging the big-name retailer is responsible for reimbursing card issuers for the expenses and fraud losses they have suffered because of Target's data breach.
See Also: HIPAA Audits: A Revised Game Plan
But the Umpqua case is a bit different.
The $11.6 billion bank filed its suit March 10 against Target, alleging violations of the Minnesota Plastic Card Security Act. Target is based in Minneapolis.
Cybersecurity attorney and financial fraud expert Joseph Burton says Umpqua's reliance on the Minnesota act is unique and could prove more fruitful than the other cases filed so far against Target.
"First it prohibits retailers doing business in Minnesota, Target's headquarters, from retaining sensitive card stripe data after authorization of the transaction," says Burton, who serves as managing partner for the San Francisco office for the firm Duane Morris. "Second, it requires a retailer who has violated this prohibition to reimburse the responsive costs incurred by any financial institution which issued payment cards affected by the breach of the retailer's system. While a number of states had in the past professed an interest in passing similar statutes, Minnesota is the only one that has done so."
Umpqua's complaint alleges that Target improperly stored card data, thus violating compliance with the Payment Card Industry Data Security Standard and the Minnesota statute, he says.
"All in all, the complaint does a clever and novel job of trying to tie the PCI standards, which are really a private, contractually based requirement, and specified state law requirements as a means of supporting a general duty of care owed by a retailer, not only to his customer, but to anyone else adversely impacted by that retailer's culpable behavior," Burton says. "It will, nonetheless, likely be a tough legal row to hoe."
Privacy attorney David Navetta, co-founder of the Information Law Group and former co-chairman of the American Bar Association's Information Security Committee, agrees Umpqua's case won't be easy to argue. Still, he says, "It's the first case I have seen that has listed the Minnesota Plastic Card Security Act as a cause of action."
Navetta is curious to see if other banking institutions will follow Umpqua's lead.
In the suits filed so far, banking institutions claim Target should be responsible for card re-issuance and replacement expenses that have been incurred by issuers as a result of the retailer's breach, which is estimated to have exposed some 40 million debit and credit cards (see Suits Against Target Make 'Statement').
Burton says he doubts any of these early suits will bear much fruit for banking institutions; proving contractually that Target is liable for losses is difficult.
"The cases that have been brought so far don't really offer what I would say would be a clear theory of liability," Burton says. "I think it's going to be a tough trail," adding that most of the cases filed so far will likely be settled out of court.
That's because case law involving card breaches is limited, he says.
"If you look at the law, the deck is really stacked against the banks," Burton explains. "I am not aware of a case in which a bank has sued a retailer in this sort of situation. That's not to say it's not possible to have a case. But Target is the first case; and first cases, like the early explorers, there are arrows in the back to show for it."
Card Breaches: The Case Law
Most class action suits filed by banks and credit unions in the wake of card breaches have not involved retailers, or they have been settled, Burton notes.
Two of the most noteworthy cases illustrate Burton's point. The 2008 class action suits brought against Maine-based grocery chain Hannaford Brothers for a breach it unearthed in March of that year were later settled out of court. And that class action was brought against Hannaford by consumers, not banks.
The second breach suit, which was filed against Heartland Payment Systems in the wake of its 2008 breach is a little different.
Card issuers sued Heartland for recovery of expenses linked to card re-issuance and fraud after the processor's network was hacked and an estimated 130 million U.S. payment cards were compromised.
The case was initially dismissed. But in February 2013, card issuers filed an appeal to reverse the lower court's decision. In September 2013, the Fifth Circuit Federal Appellate Court favored the banks and reversed the district court's ruling.
Navetta says the theories alleged and upheld in the Heartland case could benefit banking institutions in their cases against Target.
"Even if they happen to participate in the card brands' fraud and operating expense recovery programs, they recover only a portion of their out-of-pocket losses," he says. "If they don't participate in those recovery programs, they are left without a direct remedy in most cases."
But while the Heartland dispute was ultimately a win for the banks, the case did not involve suing a retailer.
"Previous cases involve some other players," Burton says. "They didn't involve banks versus retailers. ... It's a very complicated issue."