The massive security breach that compromised the information of tens of millions of Target shoppers has spawned lawsuits around the country and legislation aimed at protecting consumers from similar catastrophes.
In New Jersey, the law already requires businesses that operate in the state to disclose to residents who were or might have been affected when the security of computerized records containing their personal information is breached.
A bill introduced Monday in the state Assembly would enhance notice requirements and provide for free credit reports to victims.
The measure, A-2480, provides that the notification must state contact information, including a toll-free telephone number; specify what information has been compromised and the potential consequences; and set forth what the company or entity is doing to address the situation and the steps it may take to safeguard the customer’s information.
The notice must also advise of the free independent credit reports from a consumer reporting agency to be provided on a monthly basis for 12 months if the customer requests, at the expense of the business or entity.
Further, A-2480 would eliminate the alternative of substitute notice­—by way of e-mail, online posting or statewide media—that is now available when the cost of notice would exceed $250,000, the number of people entitled to receive it is more than 500,000 or sufficient contact information is lacking. The only acceptable means would be written notice or electronic notice consistent with federal law on electronic signatures.
The sole sponsor, Assemblywoman Linda Stender, D-Union, in announcing the measure on Feb. 6, tied it to the Target data breach. “Global consumerism has unfortunately made these types of breaches more commonplace in recent years,” she said. “We’re never going to be able to thwart them entirely, but we can empower consumers to protect themselves before irreparable damage is done to their credit or finance.
A-2480 has been referred to the Assembly Consumer Affairs Committee. Chairman Paul Moriarty, D- Gloucester, has not had a chance to thoroughly study the bill but calls it “timely and important” and says he will try to get it listed for a committee hearing in March.
There is no Senate counterpart.
Congress has also proposed new laws in the aftermath of the Target breach. On of them, the Personal Data Protection and Breach Accountability Act, S-1535, introduced on Feb. 4 by Sens. Richard Blumenthal, D-Conn, and Ed Markey, D-Mass, would create a process of companies to establish security plans and hold them accountable for noncompliance; require prompt consumer notification and remedies; and facilitate information sharing between the public and private sector to help prevent future incidents.
Class Action Initiated
Two New Jersey residents, Josephina Santos of Hudson County and Michael Caretti of Mercer, have brought a putative class action against Target over the breach, Santos v. Target Corp., filed in federal court in Newark on Dec. 27.
They seek to represent a nationwide class of persons and entities who used their credit or debit cards at a Target store or on Target.com between Nov. 27 and Dec. 15 of last year and had sensitive personal information, such as credit and debit card numbers, driver’s license numbers, Social Security numbers and checking account information, stolen or compromised.
The putative class is enormous. When Target first announced the breach, on Dec. 19, it said that over 40 million customers had been affected. It later revealed that another group of 70 million was impacted, though some overlap was possible.
Santos and Caretti allege that the manner in which Target stored customer data fell short of legal requirements and industry standards and that the company lagged in notifying customers of the breach, exposing them to the risk of fraud and identity theft.
The lawsuit seeks actual damages, equitable relief to prevent future harm, including credit monitoring and disgorgement of the profits Target earned during the “holiday shopping season,” when the the breach occurred.
The plaintiffs’ lawyer, Jason Travis Brown of the JTB Law Group in Jersey City, says he has filed similar actions in Massachusetts and Minnesota and now has 50 clients around the country and keeps hearing from possible new ones.
Third Circuit law requires injury-in-fact for this type of claim but Brown says that standard can be met.
He says he has clients who not only had their accounts compromised but have seen their available credit lowered by as much as 90 percent by lenders seeking to minimize exposure, creating hardship for those who live paycheck to paycheck. Some are “psychologically devastated,” he says.
He adds that he got a call Wednesday from someone who said hundreds of dollars were taken from an account linked to a compromised card.
On Feb. 6, Brown agreed with Target counsel Jamie Levitt of Morrison & Foerster in New York to stay the lawsuit pending a decision by the Judicial Panel on Multidistrict Litigation on whether to consolidate the lawsuits filed around the country and if so where.
The MDL panel was asked to do so on Dec. 24, by Daniel Becnel, of the Becnel Law Firm in Reserve Louisiana, the same day he filed suit against Target in the Middle District of Louisiana.
Becnel wants everything transferred there but others have since urged various other venues, including Utah, California, Illinois and Target’s home state of Minnesota.
Target told the MDL panel on Jan. 30 that supports consolidation in Minnesota. At that point, it faced 72 class actions and one individual suit in various venues. Minnesota had the most, with 12.
The cases are very similar, said Target, referring to claims like those in Santos as well as claims for invasion of privacy, violation of the Federal Stored Communications Act and violation of state consumer protection statutes, among others.
The MDL panel is expected to address the issue at its March 27 meeting in San Diego.
The stay stipulation in Santos preserved the right to amend the complaint and Brown says he intends to so, possibly adding defendants or filing a separate action against others who might also be at fault.
Scott Vernick, of Fox Rothschild in Philadelphia, who heads the firm’s Privacy and Data Security practice group section and has counseled companies on how to handle data breaches calls A-2480 an understandable reaction but cautions against burdening business and driving them out of the state.
He notes that most companies already provide the free credit reports called for in the bill and that a “one size fits all approach” will not work. “What you can expect of an Amazon or an eBay is different from what you can expect of a small business that just happens to do a lot of online activity.”