Liable for not Learning from Target Data Breach?

Nossaman LLP

Has the standard of care for retailers handling consumer data shifted in the last 9 months?  As analysts compare the recent Home Depot data breach to the data breach of the credit card processing system at Target last December, the similarities may be more than just interesting: the software and websites used to perpetrate the hacks are so astonishingly parallel that the recently filed complaint (Kelsey O’Brien v. Home Depot Inc.) specifically cites the earlier and widely publicized incident at Target to make its case that Home Depot had been negligent in protecting customer information.

The complaint claims that, after it became known that a program called BlackPOS, described by security firm McAfee Inc. as “an ‘off-the-shelf’ exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality,” was the method used in the Target attack, “many retailers, banks and card companies” responded “by adopting the use of microchips in U.S. credit and debit cards, technology that helps make transactions more secure…”  (Complaint, Pg.6).  Home Depot did not adopt this new standard.  It was only after suffering their own data breach that they decided to quickly implement chip-enabled checkout terminals at all US stores by the end of 2014 (Complaint, Pg 6).

Plaintiffs will urge that Target’s travails set a new standard of care — what the Complaint calls “reasonable security standards” based on “industry best practices concerning data theft,” showing “negligence in preventing such data theft from occurring…” (Complaint, Pg. 17).

Whether the factual allegations hold up and whether Plaintiffs can adequately allege and prove damages remains to be seen.  But the legal underpinnings for liability rest on established principles negligence, notice and failing to implement an available fix.  See In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942 (S. D. Cal. 2014)(duty to employ “reasonable” security measures to protect private data).  Indeed, Plaintiffs’ allegations echo the calculus of negligence, or “Hand formula,” established in United States v. Carroll Towing Co. 159 F.2d 169 (2d. Cir. 1947), holding that a legal duty of care is breached whenever the damages resulting from a foreseeable loss is greater than the burden (i.e. cost) of taking precautions against that loss.  As Judge Learned Hand put it: “to state it in algebraic terms: if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i. e., whether B > PL.” 

So while Home Depot thrives on the “do-it-yourself” consumer, companies relying on do-it-yourself security to protect consumer data may wish they had called the experts to deploy the latest technology.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nossaman LLP | Attorney Advertising

Written by:

Nossaman LLP

Nossaman LLP on:

Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.