Target Breach Suit Won't Be DismissedJudge Rules Banks Can Move Forward With Case
A federal judge has denied Target's motion to dismiss the class action lawsuit brought against it by several banking institutions following the retailer's December 2013 data breach that exposed 40 million payment cards and personal details for 70 million customers.
See Also: HIPAA Audits: A Revised Game Plan
"Target played a key role in allowing the [breach] to occur," Paul Magnuson, the U.S. district court judge overseeing the Target case, said in a Dec. 2 memo announcing his decision.
"Plaintiffs have plausibly pled a claim for negligence, a violation of [Minnesota's Plastic Card Security Act], and negligence per se," he said. But the judge dismissed a fourth claim - that Target's failure to inform the plaintiffs of its insufficient security constituted a negligent misrepresentation by omission.
In the lawsuit, the banks are seeking compensation from the retailer for certain breach-related expenses, such as reissuing affected payment cards and covering the cost of fraud.
The retailer on Sept. 2 had requested that the court dismiss the class action lawsuit because the retailer has no direct contractual business relationship with the financial institutions (see: Target Requests Bank Lawsuit Dismissal).
"The banks' ... claims hinge, among other things, on there being a never-before recognized 'special relationship' between merchants, like Target, and payment card issuers ...," the retailer said in its request to the court. "The banks, however ... do not even have a direct relationship with Target. ..."
Charles Zimmerman, lead counsel for the financial institution plaintiffs, tells Information Security Media Group: "We are very pleased with the court's decision. We have always felt the claims of the financial institutions were valid and that the discovery will demonstrate how and why Target allowed their systems to be breached."
A spokesperson for Target denied to comment on the case, saying the company doesn't typically remark on pending litigation.
Analyzing the Ruling
Because the financial institution plaintiffs constructed a strong legal argument based on the alleged facts of the case, the judge was able to rule in their favor and keep the case alive, says Francoise Gilbert, founder of the IT Law Group.
"The judge ... determined that the legal argument was based on sufficient factual allegations that it would have a reasonable chance to proceed if the banks were able to show that their allegations were correct," she says.
The Target case could lead other banks to take legal action in the wake of retailer breaches, says Ted Schaer of Philadelphia-based law firm Zarwin Baum DeVito Kaplan Schaer Toddy, P.C. "The banks are absorbing these financial losses," he says. "What you're seeing here is they're not going to stand for it and they're going to require accountability from the C-suite [at breached merchants] to assure that proper security in network and point-of-sale terminals is established - and if not, they're going to seek redress."