Landmark Ruling in Target Data Breach Lawsuit Affects any Company Handling Private Consumer Information

December 3, 2014Alerts

The Minnesota federal district court overseeing nationwide litigation against Target related to its massive 2013 data breach issued a ground-breaking decision on December 2, 2014 that may significantly increase the risks associated with storing or processing consumer or employee private or financial information, as well as provide a new avenue for financial institutions to recover costs incurred as a result of data breaches (e.g., card reissuance costs, fraudulent charges, etc.).

One portion of the litigation against Target concerns claims by banks and credit unions seeking to recover the losses they incurred from improper charges and from issuing new credit and debit cards as a result of Target’s data breach. Earlier this year, Target moved to dismiss the financial institutions’ claims for negligence, negligent misrepresentation and violation of Minnesota’s Plastic Card Security Act (PCSA).

On December 2, 2014, the court denied Target’s motion almost in its entirety. In doing so, it recognized Target had a potentially broad-reaching duty to consumers and financial institutions to protect consumer information. The court focused heavily on the financial institutions’ allegations that: (i) “Target was solely able and solely responsible to safeguard its and Plaintiffs’ customers’ data, and (ii) Target’s own actions, including “disabling certain security features and failing to heed the warning signs as the hackers’ attack began,” caused the harm to the institutions. Taking those allegations as true at the motion to dismiss stage, the court then used public policy as a justification to recognize a general duty to secure consumer financial information, holding that “[i]mposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.” Accordingly, the court declined to dismiss the financial institutions’ negligence claims. The court also declined to dismiss claims based on the Minnesota PCSA, which bars entities accepting credit or debit cards from retaining certain information for more than 48 hours after the transaction. Separately, the court held that the financial institutions’ allegation that “Target knew facts about its ability to repel hackers that Plaintiffs could not have known” could give rise under Minnesota law to a broad duty to disclose that Target lacked appropriate security measures. However, the court dismissed (without prejudice and with leave to re-plead) a negligent omission claim because the institutions had not properly pled reliance on the omissions.

Although much of the analysis in the Target decision focuses on issues specific to Minnesota law, the ruling will likely have much broader implications and may signal a turning point in data breach litigation. Until now, most data breach lawsuits were defeated on motions to dismiss when plaintiffs were unable to establish standing or to state plausible claims for breach of common law or statutory duties. Given the prevalence of data breaches in the last couple of years, and the increasing scrutiny on the societal costs they inflict, the Target court’s recognition of common law duties to reasonably protect consumer information as a matter of public policy and to disclose any lack of adequate security – in such a widely watched and significant case – may well embolden courts in other states to reach the same conclusions and find similar common law duties under their own state law. The Target court’s extension of those duties to protect financial institutions, instead of limiting their protection just to consumers providing information, may also bring a sea-change in the ability of financial institutions to recover for costs incurred as a result of a data breach. This change would significantly alter the risk-calculus for any company that stores and processes consumer information.