Member Article

A federal court has denied Target Corporation’s motion to dismiss class action claims brought against it by issuing banks. The banks are seeking recovery of losses they allegedly incurred as a result of Target’s data breach in December 2013. The ruling opens the door for the issuing banks to take discovery in their effort to recover their breach losses, despite the absence of a contractual relationship between the parties and the remedies available to issuing banks under card brand regulations.

Background

During the holiday shopping season of 2013, Target Corporation suffered one of the largest credit card breaches in history. Malware installed on the company’s network exposed the credit card information of 40 million customers and the personal information of 70 million more. The breach resulted in a flood of litigation by various parties, including a class action filed by issuing banks for costs the banks allegedly incurred as a result of the breach, including the costs to replace compromised cards and costs to reimburse cardholders for fraudulent charges.

In their class action suit, the banks assert claims for (1) negligence, (2) violations of the Minnesota Plastic Card Security Act (“PCSA”), (3) negligence per se based on Target’s alleged violation of the PCSA, and (4) negligent misrepresentation by omission based on Target’s alleged failure to inform the issuing banks of its faulty security system. Target moved to dismiss the claims, but the court denied the motion as to all claims except the claim for negligent misrepresentation, which it dismissed with leave to amend.

Negligence Claims for Failure to Safeguard Card Information Allowed to Proceed

A key question in this litigation is whether Target owed a duty to the banks to safeguard customer credit and debit card information. Such a duty is a necessary element of any negligence claim. Target argued in its motion to dismiss that the plaintiffs’ negligence claims were third-party-harm type negligence claims, which require that the plaintiff and defendant have a “special relationship” in order for the defendant to be liable for the harm caused by a third party. Because it had no contractual relationship with the plaintiff banks, Target argued, it owed no special duty to them that may serve as a basis for liability. The banks argued in response that their claims were for general negligence, which imposes a duty of care on the defendant to avoid foreseeable risks of harm to foreseeable plaintiffs. In addition to alleging that Target failed to adequately protect card information, the issuing banks alleged that Target affirmatively disabled parts of its security system, creating a foreseeable risk of harm to the banks.

The court held that the plaintiffs plausibly pled a general negligence claim, even though third-party hackers had caused the damage. According to the court, Target’s alleged actions - and inaction - created a foreseeable risk of harm to the issuing banks. Indeed, the court concluded that the allegation that Target purposely disabled a security feature that would have prevented the harm was sufficient by itself to support a negligence claim. Moreover, the court concluded that imposing a general duty of care on Target would further “Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information” (citing the PCSA as evidence of this policy).

Claims for Violation of the Plastic Card Security Act and Negligence Per Se Allowed to Proceed

The plaintiff banks also claimed that Target was not compliant with the PCSA, which prohibits any entity doing business in Minnesota that accepts credit or debit cards from retaining any information from the card after the transaction is authorized. Target argued that the PCSA only applied to transactions in Minnesota, making it inapplicable to many of the transactions at issue in the case, but the court rejected that argument. The PCSA “[b]y its terms, applies to the data retention practices of any person or entity ‘conducting business in Minnesota,’” the court held. Because Target was a Minnesota company and conducted business in Minnesota, Target’s data retention practices were subject to the PCSA.

Target also argued that customer card data was stolen at the point of sale, making its data retention policy irrelevant because it was not a cause of the harm. The court rejected that argument as well, holding that the banks had sufficiently alleged that Target stored card data longer than prescribed by the PCSA and that the hackers were able to access some of the stored data because of Target’s retention practices. Thus, the court denied Target’s motion to dismiss the banks’ PCSA claims. Because the banks’ negligence per se claims were based on violations of the PCSA, the court allowed those claims to proceed as well.

Negligent Misrepresentation by Omission Claim Dismissed with Leave to Amend

Finally, the banks brought a claim for negligent misrepresentation by omission against Target, alleging that the company held itself out as having secure data systems when it knew that its data systems were vulnerable. As the basis for this claim, the banks cited Target’s statements in its privacy policy and its agreement to comply with card operating regulations and the Payment Card Industry Data Security Standard (“PCI DSS”). According to the banks, Target knew or should have known that it was not in compliance with the representations. The court held that the banks’ allegations were sufficient to state a negligent omission, but that the banks had failed to adequately plead reliance, a necessary element of any negligent misrepresentation claim. The court dismissed the claim, but granted the banks leave to amend the complaint to properly plead reliance.

Takeaways

Companies should note that the Minnesota PCSA applies to entities “conducting business in Minnesota.” Because Target is a Minnesota corporation with its headquarters and physical locations in Minnesota, the court did not analyze what other operations might make a company subject to the PCSA (other than to say the statute does not apply to “non-Minnesota companies”). Thus, companies that accept payment cards, have physical locations, market themselves, or make sales to residents in Minnesota may need to re-examine their data retention practices (and their contractual obligations to retain transaction data) for compliance with the PCSA.

More broadly, issuing banks and merchants will be watching this case to see how it proceeds. This decision may foretell additional attempts by issuing banks to recover directly from merchants. Target will surely file motions for summary judgment at some point and if the issuing banks are able to survive motions for summary judgment, then we expect to see more claims like this. The PCI DSS includes procedures designed to reimburse issuing banks for their losses from a breach, but the Target court’s decision, at least so far, suggests that they may have additional options for recovery available to them.

For more information please contact one of the following Haynes and Boone, LLP lawyers.