Previously I wrote about banks joining the legal battle over data breaches. Anyone not living under a rock knows that there is multidistrict class action litigation involving Target’s massive data breach in December 2013 (“Target MDL”). It is not as well known that in the Target MDL there are 3 different categories of class action cases: (1) Bank Cases, (2) Consumer Cases, and (3) Shareholder Cases.
In the Bank Cases, the plaintiffs contend that Target (i) was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data, (ii) violated Minnesota’s Plastic Security Card Act (“PSCA”), (iii) its violation of the PSCA constitutes negligence per se, and (iv) its failure to inform the Banks of its insufficient security constitutes a negligent misrepresentation by omission.
Recently the Bank scored an initial victory when the court denied Target’s motion to dismiss on the claims of negligence, violation of the PSCA, and negligence per se.
Target attacked the negligence claim primarily based on the argument that the Banks failed to sufficiently allege that Target owed them a duty. The court didn’t buy it. It ruled that the Banks adequately pled that Target owed them a duty of care finding that Target played a key role in allowing the third-party hackers’ harm to occur. Key to the court’s ruling is that Target purposely disabled one of the security features that would have prevented the harm itself, i.e., Target’s own conduct created a foreseeable risk of injury to a foreseeable plaintiff. This ruling could have a ripple effect in the Consumer Cases and Shareholder Cases against Target.
Further discussing the duty Target owed to the Banks, the court, in dicta, states that institutional parties to credit- and debit-card transactions have already voluntarily assumed duties toward one another. This could have a tremendous ripple effect in a variety of data breach lawsuits filed by banks.
Interestingly, Target did not argue that the Banks failed to plead injury/damages arising from the data breach, which is the usual attack on consumer data breach lawsuits.
This ruling makes it even more important for businesses to preventatively plan for a data breach, particularly for businesses who conduct credit- and debit-card transactions. Important in any cyber security plan is a risk assessment of the data security system, which should be performed by a third party vendor and not internal IT. You should know now – not later – if any data security features have been disabled.
 As the court described the data breach in its Memorandum and Order, “over a period of more than three weeks during the busy Christmas holiday shopping season, computer hackers had stolen credit- and debit-card information for approximately 110 million of Target’s customers.”