The sphere of foreseeable harm in the event of a data security incident may be expanding beyond the data subjects in a retailer’s direct customer base, as a judge has ruled that a number of banks seeking a new path to recovery of costs can proceed with their negligence claims.
Last week, a federal judge in United States District Court for the District of Minnesota denied Target’s motion to dismiss the claims brought by the financial institutions. The court held that harm to the financial institutions used by Target’s customers, even though Target itself may not have had a direct relationship with such institutions, was foreseeable and that therefore Target owed a duty of reasonable care to such institutions in safeguarding its customers’ information. Following Target’s a high-profile data breach late last year–which may have compromised the data of up to 110 million customers–a consolidated, multi-district class action was brought against Target by three groups: shareholders, consumers, and banks.
The financial institutions allege that Target missed a number of opportunities to avoid the security breach, which seemed to weigh heavily with the court. In denying Target’s motion to dismiss, the judge found that:
Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur. Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.
What could Target have done differently? In addition to disabling security features, the complaint alleges that Target failed its duty of reasonable care in a number of other ways, including:
- Giving network access to a small third-party vendor, which did not follow broadly accepted information security practices,
- Failing to respond to multiple automated warnings from anti-intrusion software, and
- Failing to properly isolate sensitive network assets, allowing the attackers to move from less sensitive areas of the network to areas storing consumer data.
There is a lot at stake for Target in this case – all told, the banks estimate that the costs to banks and retailers caused by Target’s breach in this case could eventually exceed $18 billion. The banks are seeking to recover more than the costs of the fraudulent charges, extending their claims to include expenses such as notifying customers and issuing replacement cards.
The plaintiffs in this case have a long way to go and will have to pass higher hurdles before they will be able to hold Target liable for any portion of that amount, but at minimum retailers should take note of their growing responsibility to secure data – and the growing consequences attached with failure to adequately do so.