Last winter, following a well-publicized data breach, a group of financial institutions sued Target, arguing that Target should be held responsible for the damages that they had experienced as a result of the data breach despite the fact such damage only occurred indirectly through their individual cardholders. As discussed in this previous post, the financial institutions were able to survive a motion to dismiss from Target using this novel argument. In a new development, another victory was handed to the banks on Tuesday – Target and Visa have announced that they have agreed to settle the claims of Visa’s major card issuers for up to $67 million dollars.
This deal is significant in a number of ways, not the least of which is its size – $67 million represents a significant settlement amount for a single data security suit. When combined with the novelty of the claims made by the financial institutions, it’s likely that this deal will set a precedent for future data security litigation and may spark more claims from financial institutions who suffer losses as a result of similar data breaches in the future.
This should be a cautionary tale for retailers. Between the success of the banks in obtaining recovery for these losses by taking an expansive view of the scope of foreseeable harm and the new liability-shifting rules being introduced in conjunction with the new EMV chip technology, retailers who accept credit cards are facing a future in which they are expected to bear an increasing portion of the burden of any losses occurring from data breaches – especially if such retailers are not taking active and aggressive steps to keep, implement, and maintain available processes and tools to prevent such losses.