Last year’s massive data breach at Target was the first of a series of data breaches that continue unabated to this day with no end in sight. While millions of Target customers were inconvenienced by the theft of their credit card or debit card information, banks that issued those cards and had to replace those stolen cards suffered financial losses involved with replacing the stolen cards as high as 400 million dollars. Five of these banks, Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings filed a class action in federal court on behalf of themselves and other affected banks seeking payment from Target for the losses they incurred as a result of the Target data breach. Target responded to the lawsuit by filing a Motion to Dismiss the lawsuit arguing that it was not responsible for the data breach, however Judge Paul A. Magnuson, in denying Target’s motion ruled that there was sufficient evidence of Target’s negligence to warrant a trial. Specifically, the judge said that Target ignored security software program alerts that there was a problem and also actually disabled some of its own security features which contributed to the data breach. According to Judge Magnuson, “Plaintiffs have plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.”
The importance of this early ruling in the case of the banks against Target cannot be overestimated. While in the past retailers were not held responsible for the occasional data breach occurring in the processing of credit and debit card transactions, an ultimate verdict in favor of the banks could signal a major change in how retailers conduct business in general and in particular what security steps they will need to take in order to avoid financial responsibility for future data breaches. Coupled with regulations shifting responsibility for data breaches to retailers who fail to switch to new smart credit cards with computer chips by October of 2015, this ruling may signal a new paradigm for company electronic security.