Banks that want to file suit against Target for the malware incident in 2013 that compromised the data of over 70 million customers scored a victory on Tuesday in Minnesota US District court. The judge ruled that the banks can sue Target for negligence due to the security breach.
Malware was introduced to Target’s POS systems between November and December 2013. The software allowed hackers to steal customer credit card data as the cards were being swiped. Previous reports say around 70 million Target customers were affected by the attack but the court document says 110 customer million debit and credit card numbers were taken.
There has been no shortage of retail security breaches this year and this decision opens the possibility that other retailers may be sued. Kmart, Dairy Queen, Home Depot and Neiman Marcus were among the companies that experienced cybersecurity or malware attacks this year. Banks themselves are having trouble as well with banking giant JP Morgan and four other banks dealing with security breaches in the second half of 2014.
Financial damage from security breaches increased 12-14 percent over last year and 94 percent of companies have experienced a cyber security issue in 2014, according to Kaspersky Labs research.
What made the Target breach more frustrating was that the company had just purchased a new system from cybersecurity firm FireEye a few months before the attack. Security measures were working, but Target ignored the warning messages, which supports the banks’ claim of negligence.
“Plaintiffs argue that this case is not a third-party-harm case but rather is a straightforward negligence case: Target’s own conduct, in failing to maintain appropriate data security measures and in turning off some of the features of its security measures, created a foreseeable risk of the harm that occurred, and Plaintiffs were the foreseeable victims of that harm,” said the court document.
The complaint against Target consists of four claims: negligent security, violation of Minnesota’s Plastic Security Card Act, this violation constitutes negligence per se, and finally that Target’s failure to inform the banks of insufficient security is negligence by omission. Target was seeking to have the charges dismissed on the grounds that the banks did not sufficiently substantiate these claims.
The court found there is indeed enough evidence of negligence for the plaintiffs to file against Target.
“At this preliminary stage of the litigation, Plaintiffs have plausibly pled a general negligence case. Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” judge Paul A. Magnuson said in the decision. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case: Plaintiffs allege that Target’s ‘own conduct create[d] a foreseeable risk of injury to a foreseeable plaintiff.’”
The decision also stated that the “Plaintiffs’ allegation that Target was solely able and solely responsible to safeguard its and Plaintiffs’ customers’ data is also plausible.”
The implication to service providers here is an important one. Whenever a host or other entity collects sensitive information such as credit cards or social security numbers, for example, it is imperative that the strictest security standards are in place and warning signs are taken seriously. Otherwise the door is open to future lawsuits that could be financially devastating, particularly to smaller businesses without the deep pockets of Target.