Data Breach Litigation – Financial Institutions Score Another Shot

Butler Snow LLP

Previously I wrote about banks joining the legal battle over data breaches. Anyone not living under a rock knows that there is multidistrict class action litigation involving Target’s massive data breach[1] in December 2013 (“Target MDL”). It is not as well known that in the Target MDL there are 3 different categories of class action cases: (1) Bank Cases, (2) Consumer Cases, and (3) Shareholder Cases.

In the Bank Cases, the plaintiffs contend that Target (i) was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data, (ii) violated Minnesota’s Plastic Security Card Act (“PSCA”), (iii) its violation of the PSCA constitutes negligence per se, and (iv) its failure to inform the Banks of its insufficient security constitutes a negligent misrepresentation by omission.

Recently the Bank scored an initial victory when the court denied Target’s motion to dismiss on the claims of negligence, violation of the PSCA, and negligence per se.

Target attacked the negligence claim primarily based on the argument that the Banks failed to sufficiently allege that Target owed them a duty. The court didn’t buy it. It ruled that the Banks adequately pled that Target owed them a duty of care finding that Target played a key role in allowing the third-party hackers’ harm to occur. Key to the court’s ruling is that Target purposely disabled one of the security features that would have prevented the harm itself, i.e., Target’s own conduct created a foreseeable risk of injury to a foreseeable plaintiff. This ruling could have a ripple effect in the Consumer Cases and Shareholder Cases against Target.

Further discussing the duty Target owed to the Banks, the court, in dicta, states that institutional parties to credit- and debit-card transactions have already voluntarily assumed duties toward one another. This could have a tremendous ripple effect in a variety of data breach lawsuits filed by banks.

Interestingly, Target did not argue that the Banks failed to plead injury/damages arising from the data breach, which is the usual attack on consumer data breach lawsuits.

This ruling makes it even more important for businesses to preventatively plan for a data breach, particularly for businesses who conduct credit- and debit-card transactions. Important in any cyber security plan is a risk assessment of the data security system, which should be performed by a third party vendor and not internal IT. You should know now – not later – if any data security features have been disabled.

[1] As the court described the data breach in its Memorandum and Order, “over a period of more than three weeks during the busy Christmas holiday shopping season, computer hackers had stolen credit- and debit-card information for approximately 110 million of Target’s customers.”


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Butler Snow LLP | Attorney Advertising

Written by:

Butler Snow LLP

Butler Snow LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.