At last count, 140 lawsuits were filed against Target in the wake of the massive data breach that exposed credit and debit card payment information for tens of millions of consumers in late 2013. If your head is spinning at the thought of how this will all be handled and what it means for payment security, you’re not alone. Follow along as we take a deep dive.
UPDATE: Following the class-action lawsuits originally filed against Target after the 2013 massive data breach, the retailer has agreed to pay $10 million in damages to settle its lawsuit. With the U.S. federal court’s approval, Target will deposit the said amount into an interest bearing escrow account in order to pay each affected victim up to $10,000 in damages. In the proposal, Target will have to create and implement additional data security measures such as maintaining a written information security program and continuing to utilize the company’s first Chief Information Security Officer (CISO).
UPDATE #2: Target is approaching a settlement with MasterCard. The current settlement is nearing the $20 million mark, to help offset the costs that financial institutions incurred due to the data breach. These costs include the reissuance of credit and debit cards exposed in the data breach, as well as some of the fraudulent transactions that resulted from the exposure of the retailer’s customers’ payment information.
With well over a hundred pending lawsuits, the court system compiled them into three categories (consumers, banks and shareholders), to be overseen by U.S. District Judge Paul Magnuson
The claim in the consumer lawsuit is that the breach was avoidable and occurred because Target did not take proper precautions in protecting its computer systems. The plaintiffs are seeking reparation for injuries including:
Target attempted to get the lawsuit thrown out by claiming that the plaintiffs failed to show enough injury to proceed, but Magnuson found that the plaintiffs did show sufficient injuries, “including unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.
“Target ignores much of what is pled, instead contending that because some Plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts, Plaintiffs have insufficiently alleged injury. These arguments gloss over the actual allegations made and set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage,” the judge said.
The plaintiffs in the bank lawsuit include Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain. They are pursuing class-action status, on behalf of all banks and credit unions whose customers transacted via debit or credit card at Target during the time of the breach.
The claim in the bank lawsuit is that Target's actions and inactions - disabling certain security features and failing to heed the warning signs as the hackers' attack began - caused foreseeable harm to plaintiffs. The banks are seeking to recover damages incurred by the data breach, including:
Target also tried to get this lawsuit dismissed by claiming that they didn’t have a close enough relationship with the plaintiffs to be held directly liable due to negligence. Judge Magnuson also struck this down and stated, “At this preliminary stage of the litigation, plaintiffs have plausibly (pleaded) a general negligence case. Although the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur.”
Both of these lawsuits will move on to the discovery phase of litigation, where each party will continue to seek and gather evidence from the opposing side to help build their respective cases. Target will continue to attempt to get the cases dismissed, but if unsuccessful, class-action status could be achieved by the financial institutions and the consumers before the cases go to trial in 2016.
The bank lawsuit continuing to move forward is a huge game-changer in the confusing web of who is ultimately responsible for the financial burden after a data breach. Traditionally, banks have been left to absorb the vast majority of the costs of reissuing cards and refunding fraudulent charges - which turned out to be a crippling $240 million in the case of Target. This ruling could ease the loss felt by banks if and when a merchant can be proven negligent in how they safeguarded sensitive customer data.
Rippleshot’s cutting-edge technology and rapidly growing data set make our solution uniquely powerful and comprehensive. When used aggressively, issuers can stop half of all breach-related fraud spends, and retailers can stop their breach months faster, when only a fraction of the cards have been stolen. Sign up below to receive a demo of our software and see for yourself what it can do.
You have fraud frustrations? We have the solutions. Let's discuss what you are dealing with and we can learn more and share how we can help.