Suits Against Target Make 'Statement'

Banks, Credit Unions Argue Breached Retailers Should Pay

By , February 19, 2014.
Suits Against Target Make 'Statement'
 

Lawsuits that banking institutions have filed against Target Corp. in the wake of the retailer's massive breach aren't likely to reap big rewards, two legal experts say. But the suits are sending a strong message: Card issuers want retailers to pay for breach-related expenses.

See Also: Secure E-Banking: Consumer-Friendly Strong Authentication

In the suits filed so far, banking institutions claim Target should be responsible for card re-issuance and replacement expenses that have been incurred by card issuers as a result of the retailer's breach, which is estimated to have exposed some 40 million debit and credit cards.

Cybersecurity attorney Joseph Burton, managing partner of the San Francisco office for law firm Duane Morris, says the suits aren't likely to succeed because of the contractual relationships issuers have with the card brands. Those contracts with Visa and MasterCard include compensation for expenses associated with card breaches, he says.

"Such suits are a major uphill fight, even with good facts, which may not be the case here," Burton says.

Privacy attorney David Navetta, co-founder of the Information Law Group and former co-chairman of the American Bar Association's Information Security Committee, says these types of lawsuits typically lack a contractual hook for card issuers, and, thus, aren't very convincing for the courts.

"This leaves them [banking institutions] making 'extra-contractual claims,' such as negligence, or making claims that they are the intended third-party beneficiary of either the merchant agreement or the card brands' operating regulations," he says. "These [kinds of] cases have not gone very well for the issuing banks."

Navetta points out, however, that similar suits filed by card issuers against Heartland Payment Systems in the wake of its 2008 breach ultimately were fruitful for the banks.

"Some of these banks are likely hoping they can advance some of the theories alleged and upheld in Heartland," he adds.

Card issuers sued Heartland for recovery of expenses linked to card re-issuance and fraud after the processor's network was hacked and an estimated 130 million U.S. payment cards were compromised. A federal court later dismissed the banks' case, which claimed Heartland did not take reasonable security measures to avoid the risk of a "foreseeable intrusion."

But in February 2013, card issuers filed an appeal to reverse the lower court's decision, which found that the banks should be satisfied with the financial settlements Heartland reached with card brands Visa, MasterCard and American Express. In September 2013, the Fifth Circuit Federal Appellate Court favored the banks and reversed the district court's ruling.

If referenced by card issuers in their recent suits against Target, that appellate ruling could work in banks' favor, Navetta says.

"Even if they happen to participate in the card brands' fraud and operating expense recovery programs, they recover only a portion of their out-of-pocket losses," he says. "If they don't participate in those recovery programs, they are left without a direct remedy in most cases - the exceptions are in Minnesota and Washington, which both have laws that can allow banks to recover certain costs in the wake of a payment card breach."

But Navetta also points out that suits against Target so far have only been filed by community-based institutions. Leading card issuers aren't suing because they often have merchant acquiring relationships with retailers, he points out.

"Someday they may be the target of a similar suit if one of their merchants gets hit with a breach," Navetta says. "These issuing banks know that if they sue another bank, it could create 'bad case law' that could later result in their own liability."

Putnam Bank Lawsuit

Putnam Bank, a $451 million community bank based in Connecticut, was among the first to file a class action suit against Target, claiming the retailer should compensate affected banks for expenses associated with card re-issuance, closing accounts, reimbursing customers for unauthorized transactions and other breach-recovery-related losses.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE JPMorgan Chase: No New Cyber-Attack

JPMorgan Chase labels as inaccurate a New York Times report about a second data breach against the...

Latest Tweets and Mentions

ARTICLE JPMorgan Chase: No New Cyber-Attack

JPMorgan Chase labels as inaccurate a New York Times report about a second data breach against the...

The ISMG Network