Court Rules Banks Can Sue Target for Negligence in Connection to 2013 Security Breach

1 comment

Banks that want to file suit against Target for the malware incident in 2013 that compromised the data of over 70 million customers scored a victory on Tuesday in Minnesota US District court. The judge ruled that the banks can sue Target for negligence due to the security breach.

Malware was introduced to Target’s POS systems between November and December 2013. The software allowed hackers to steal customer credit card data as the cards were being swiped. Previous reports say around 70 million Target customers were affected by the attack but the court document says 110 customer million debit and credit card numbers were taken.

There has been no shortage of retail security breaches this year and this decision opens the possibility that other retailers may be sued. Kmart, Dairy Queen, Home Depot and Neiman Marcus were among the companies that experienced cybersecurity or malware attacks this year. Banks themselves are having trouble as well with banking giant JP Morgan and four other banks dealing with security breaches in the second half of 2014.

Financial damage from security breaches increased 12-14 percent over last year and 94 percent of companies have experienced a cyber security issue in 2014, according to Kaspersky Labs research.

What made the Target breach more frustrating was that the company had just purchased a new system from cybersecurity firm FireEye a few months before the attack. Security measures were working, but Target ignored the warning messages, which supports the banks’ claim of negligence.

“Plaintiffs argue that this case is not a third-party-harm case but rather is a straightforward negligence case: Target’s own conduct, in failing to maintain appropriate data security measures and in turning off some of the features of its security measures, created a foreseeable risk of the harm that occurred, and Plaintiffs were the foreseeable victims of that harm,” said the court document.

The complaint against Target consists of four claims: negligent security, violation of Minnesota’s Plastic Security Card Act, this violation constitutes negligence per se, and finally that Target’s failure to inform the banks of insufficient security is negligence by omission. Target was seeking to have the charges dismissed on the grounds that the banks did not sufficiently substantiate these claims.

The court found there is indeed enough evidence of negligence for the plaintiffs to file against Target.

“At this preliminary stage of the litigation, Plaintiffs have plausibly pled a general negligence case. Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” judge Paul A. Magnuson said in the decision. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case: Plaintiffs allege that Target’s ‘own conduct create[d] a foreseeable risk of injury to a foreseeable plaintiff.’”

The decision also stated that the “Plaintiffs’ allegation that Target was solely able and solely responsible to safeguard its and Plaintiffs’ customers’ data is also plausible.”

The implication to service providers here is an important one. Whenever a host or other entity collects sensitive information such as credit cards or social security numbers, for example, it is imperative that the strictest security standards are in place and warning signs are taken seriously. Otherwise the door is open to future lawsuits that could be financially devastating, particularly to smaller businesses without the deep pockets of Target.

Add Your Comments

  • (will not be published)

One Comment

  1. DoktorThomas™

    Watch for the affected consumers to get a second flocking from the after lobbyists (real enemy combatants that should forever be housed at Gitmo) get immunization legislation for these tax generating giants. Criminals are criminals and deserve everything that can be thrown at them. Note: Excellent judicial work--a rarity in the USSA [sic]. Minnesota judges are cut above the rest. This kind of lack of sound operating policy should lead to the imminent demise of the offending business. To be secure, they don't need new hardware; they need to keep delicate data off the Internet. How hard is removing one network connecting wire? Business runs fine without business records connected to the Internet. This procedure even has an IT buzzword name. Read the names carefully; these are companies with which you never want to deal. ©2014 DoktorThomas™. All rights reserved. This material may not be used, published, broadcast, rewritten, paraphrased, forwarded, nor redistributed without written permission. All statutory use exemptions/exceptions specifically revoked by author. Protected by Amendment, Federal law and international treaty. For educational use only--not intended as legal, medical, accounting, tax, financial or other advice; for readers to use as such violates TOS and may entail imposition of financial penalty and other sanctions. Limited license granted for this one exclusive use on