A Target store in Minneapolis, MN (Photo: Bruce Bisping / Minneapolis Star Tribune / ZUMAPRESS.com)
Banks that issued debit and credit cards to customers whose financial and personal data were hacked have joined the litigation against Target Corp. Meanwhile, fresh lawsuits are alleging retailers were well aware of the growing threat of such cybersecurity attacks.
Some lawyers believe the banks could have a stronger case for damages than do consumers, in part because banks typically reimburse customers for any losses they suffer. The banks, however, cite uncompensated expenses associated with lost interest and fees; reimbursements for unauthorized charges; and canceling and reissuing cards.
“That’s a huge cost of the banks in having to issue new cards — the price of the cards themselves, and a lot of banks and credit unions like our clients either had to hire people or pay extra wages to their staff,” said Larry Golston, a shareholder at Beasley, Allen, Crow, Methvin, Portis & Miles in Montgomery, whose firm filed a class action against Target on behalf of the Alabama State Employees Credit Union.
“We identified early on that the banks are the ones who suffered the most direct and substantial injuries,” said Brian Gudmundson, a partner at Zimmerman Reed in Minneapolis, which filed class actions against Target in January on behalf of Jim Thorpe Neighborhood Bank in Pennsylvania and Connecticut’s Putnam Bank.
Since Dec. 19, Target and Neiman Marcus Group LLC have confirmed breaches that may have affected millions of shoppers, and Michaels Stores Inc. has announced an investigation of a possible breach. More than 70 class actions, most involving Target, have followed on behalf of customers whose charge cards or other personal information may have been compromised.
Meanwhile, the Justice Department confirmed on Jan. 29 that a criminal investigation was underway into Target’s breach, which affected 40 million customers who made purchases between Nov. 27 and Dec. 15. Another 70 million individuals might have had personal information stolen, Target has said. At least three congressional committees have scheduled hearings into the breaches this week. In a Jan. 16 letter to Congress, American Bankers Association chief executive officer Frank Keating noted that banks historically have received “very little meaningful reimbursement” for costs associated with data breaches.
DATA SECURITY STATUTE
That Target is headquartered in Minneapolis gives the banks another weapon: A Minnesota statute that governs how retailers should retain customer data to avoid identity theft. The statute prohibits businesses from retaining “the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data” of its customers past a certain period. If a security breach occurs due to a violation of the statute, the business must reimburse costs incurred by any financial institution that issued those cards, according to the banks.
“Under the statute, the financial institutions that were harmed by a data breach would have a claim against the retailer if it didn’t act in accordance with the statute,” said Avi Josefson, a partner at New York’s Bernstein Litowitz Berger & Grossmann, who filed suit in U.S. district court in Minnesota against Target on Jan. 28 on behalf of Amalgamated Bank in New York.
Many lawsuits, like the one filed by Amalgamated Bank, raise questions about what Target knew about its cybersecurity risks — and when. The bank claims that Visa issued two warnings to Target last year about malicious software that could allow hackers to obtain encrypted data. Visa instructed Target to take precautions including reviewing its firewalls, but the retailer failed to do so, the suit alleges.
In a consumer case, Seattle’s Hagens Berman Sobol Shapiro claims that security forensics expert Neal Krawetz of Hacker Factor Solutions warned Target and other retailers in 2007 of vulnerabilities in point-of-sale machines — where customers swipe their cards — that could put their financial information at risk. “They knew or should have known that this type of data breach is possible,” Hagens Berman partner Thomas Loeser said.
And it’s not just Target. Mark Lavery, senior litigation associate at Chicago’s Hyslip & Taylor, which filed suit against Michaels on Jan. 27, said that retailer has a history of data breaches.
Last year, Michaels settled a class action over a 2011 breach that involved PIN pads at 90 stores. Under the settlement, approved on April 27, Michaels agreed to set aside $800,000 to compensate consumers whose financial data were compromised and replace PIN pads. “Obviously, Michaels did not invest sufficiently to deter another major data breach despite the previous litigation,” Laverty said.
Michael Fox, a spokesman for Michaels, based in Irving, Texas, declined to comment. So did a Target representative.
Contact Amanda Bronstad at email@example.com.