Target’s massive data breach, in which criminals were able to drop malware onto point-of-sale systems and compromise at least 40 million credit and debit cards, is now the subject of a federal lawsuit by banks who issued those cards. And Target is arguing in court today that those claims should be thrown out, Bloomberg reports—because the company claims it had no obligation to protect the banks from damages.
The suit has been brought by five banks—First Federal Savings, Village Bank, Umpqua Bank, Mutual Bank, and Louisiana’s CSE Federal Credit Union. As a group, the banks are claiming losses because the breach exceeded $5 million. The lawsuit is playing out as representatives from financial organizations, including the US’ two major credit union industry associations, are pressing Congress to take action to hold retailers more accountable for payment data breaches and to bring them under the same privacy standards as financial institutions with regard to financial data.
Major retailer data breaches over the past year, including the ones at Target and Home Depot, have caused banks and credit unions to have to reissue hundreds of millions of payment cards. The Home Depot breach, first reported in September, was revealed last week to have exposed 53 million customer e-mail addresses, as well as 56 million payment cards.
Retailers are fighting additional regulation and claim that they already pay toward banks’ damages through their contracts with the major credit cards—though those payments are a fraction of the actual re-issue costs incurred. A 2010 study by Zurich General Insurance found that data breaches could run into the hundreds of dollars per exposed card, in addition to the financial losses associated with card fraud, the hundreds more per card lost paid out by retailers for forensic investigations of breaches, fines levied by the Payment Card Industry Security Standards Council, and public relations costs related to the breach.
The banks are using a Minnesota law called the Plastic Card Security Act as the basis for the lawsuit. The law prohibits retailers from retaining payment data after a sale is completed. The banks’ lawyers claim that Target retained data and disabled security measures that would have detected the ongoing breach. But in the company’s filing before US District Judge Paul Magnuson in St. Paul, Minnesota, today, Target’s lawyers are asserting that the law doesn’t apply to the breach, since it happened at the point of sale and not in back-end corporate systems.
reader comments
116