Over the last year, retailers have experienced data breaches that compromised consumer’s private credit card and debit card information. The list includes CVS, Home Depot, Neiman Marcus, Shaws, Sears, Supervalu Inc., Target and Walgreens. When Target Corporation announced earlier this year that as many as 110 million customers’ credit and customer records had been hacked during the 2013 holiday season, retailers took immediate action to upgrade and protect their systems. Within days of the announcement, states filed would-be class action lawsuits on behalf of consumers, alleging that Target was negligent in protecting card information.
At the beginning of August the first consolidated class action was filed against the retail giant on behalf of thousands of financial institutions. The class action claims these institutions suffered losses of as much as $18 billion. The costs were incurred in reissuing cards, reimbursing customers and changing or canceling accounts. However, missing from the complaint were claims under the U.S. Racketeer Influenced and Corrupt Organizations Act. An attorney, representing three financial institutions, has argued in favor of bringing RICO claims and sought the court’s permission to file individual lawsuits on behalf of his clients rather than join the class action. It is unknown whether he has been granted that request.
In September, the class-actions from consumers and banks were consolidated into one and filed in Minnesota – Target’s home state. Target responded with a motion to dismiss the claims from financial institutions, arguing that they had failed to state a claim for their allegations relating to violation of the Minnesota Plastic Card Security Act, negligent misrepresentation by omission and negligence. Target argues that it has a relationship with the payment processors, not the banks themselves, and therefore, cannot be held responsible for damages to a third-party under state law.
It may be more difficult for financial institutions to secure a verdict against Target, given outcomes in other cases. A data breach lawsuit against Michaels Stores Inc. was dismissed after the presiding judge ruled the plaintiffs couldn’t show that they suffered direct “economic damage” from a breach that compromised as many as 2.6 million customer credit and debit card numbers. Plaintiffs in data-breach actions against Barnes & Noble Inc., LinkedIn Corp., Sam’s Club and Aetna Inc. have also faced similar rulings.
Though Target’s hack may have been the impetus for the uproar over consumer data protection, underlying the conversation, now taking place, is a threat that’s been growing for years: Data hackers are increasingly operating like businesses, with sophisticated networks of criminals hawking a lucrative product – our identities.