A Federal Judge denied Target's motion to dismiss a lawsuit filed by a putative class of bankers whose customers' information was stolen in the data breach last year. According to the banks, they suffered tens of millions of dollars in damages from having to reimburse fraudulent charges as a result of the data breach affecting almost 70 million consumers. In the complaint, Target is alleged to have disabled security features and kept information longer than necessary to complete the transactions.
As reported by The Hill, "the case could help answer the murky question of who is liable following a major data breach. 'This ruling is one of the first decisions that clarifies the legal muddle between merchants and banks,' said Craig Newman, a lawyer with Richards Kibbe & Orbe who advises on security issues." The dispute essentially focuses on the idea that retail merchants are allowed to shift the financial responsibility in the wake of data breaches to the banks without recourse. Typically the banks or other credit institutions are footing the bill for the security measures, or lack thereof, put in place by retail establishments to protect the information used in processing payments.
In the federal court case, target unsuccessfully attempted to shift the blame for the data breach onto the hackers, claiming Target had no duty to protect from third party criminal conduct. The court held, however, that Target played a "key role" in allowing the harm to occur by disabling security features and storing data longer than allowed under Minnesota law. Either precaution could have prevented the data breach or limited the damage caused by the hackers. It's too early to know whether the claims will survive summary judgment, which could be years away, but for now the case importantly shifts some of the legal responsibility to protect consumers onto the merchants rather than just the banking institutions.