Suits Against Target Make 'Statement'Banks, Credit Unions Argue Breached Retailers Should Pay
Lawsuits that banking institutions have filed against Target Corp. in the wake of the retailer's massive breach aren't likely to reap big rewards, two legal experts say. But the suits are sending a strong message: Card issuers want retailers to pay for breach-related expenses.
See Also: Secure Access in a Hybrid IT World
In the suits filed so far, banking institutions claim Target should be responsible for card re-issuance and replacement expenses that have been incurred by card issuers as a result of the retailer's breach, which is estimated to have exposed some 40 million debit and credit cards.
Cybersecurity attorney Joseph Burton, managing partner of the San Francisco office for law firm Duane Morris, says the suits aren't likely to succeed because of the contractual relationships issuers have with the card brands. Those contracts with Visa and MasterCard include compensation for expenses associated with card breaches, he says.
"Such suits are a major uphill fight, even with good facts, which may not be the case here," Burton says.
Privacy attorney David Navetta, co-founder of the Information Law Group and former co-chairman of the American Bar Association's Information Security Committee, says these types of lawsuits typically lack a contractual hook for card issuers, and, thus, aren't very convincing for the courts.
"This leaves them [banking institutions] making 'extra-contractual claims,' such as negligence, or making claims that they are the intended third-party beneficiary of either the merchant agreement or the card brands' operating regulations," he says. "These [kinds of] cases have not gone very well for the issuing banks."
Navetta points out, however, that similar suits filed by card issuers against Heartland Payment Systems in the wake of its 2008 breach ultimately were fruitful for the banks.
"Some of these banks are likely hoping they can advance some of the theories alleged and upheld in Heartland," he adds.
Card issuers sued Heartland for recovery of expenses linked to card re-issuance and fraud after the processor's network was hacked and an estimated 130 million U.S. payment cards were compromised. A federal court later dismissed the banks' case, which claimed Heartland did not take reasonable security measures to avoid the risk of a "foreseeable intrusion."
But in February 2013, card issuers filed an appeal to reverse the lower court's decision, which found that the banks should be satisfied with the financial settlements Heartland reached with card brands Visa, MasterCard and American Express. In September 2013, the Fifth Circuit Federal Appellate Court favored the banks and reversed the district court's ruling.
If referenced by card issuers in their recent suits against Target, that appellate ruling could work in banks' favor, Navetta says.
"Even if they happen to participate in the card brands' fraud and operating expense recovery programs, they recover only a portion of their out-of-pocket losses," he says. "If they don't participate in those recovery programs, they are left without a direct remedy in most cases - the exceptions are in Minnesota and Washington, which both have laws that can allow banks to recover certain costs in the wake of a payment card breach."
But Navetta also points out that suits against Target so far have only been filed by community-based institutions. Leading card issuers aren't suing because they often have merchant acquiring relationships with retailers, he points out.
"Someday they may be the target of a similar suit if one of their merchants gets hit with a breach," Navetta says. "These issuing banks know that if they sue another bank, it could create 'bad case law' that could later result in their own liability."
Putnam Bank Lawsuit
Putnam Bank, a $451 million community bank based in Connecticut, was among the first to file a class action suit against Target, claiming the retailer should compensate affected banks for expenses associated with card re-issuance, closing accounts, reimbursing customers for unauthorized transactions and other breach-recovery-related losses.
"Target's failure to adequately safeguard customer confidential information and related data and Target's failure to maintain adequate encryption, intrusion detection, and prevention procedures in its computer systems caused the losses hereinafter set forth," Putnam Bank notes in its claim.
The increase in retail breaches is becoming too much for smaller banks and credit unions to handle, says Tom Borner, a Putnam Bank's spokesman.
"We're just frustrated," he says. "We're stuck with the fraud; we're stuck with reissuing the cards; and we are out the debit interchange for the time we have to close the cards down. We reissued about 3,000 cards because of the Target breach, and for an institution our size, that's a lot."
On Jan. 27, a district court in Minnesota granted Target's motion to stay in the Putnam case, pending an expected decision from a judicial panel on Target's request to consolidate the case with others suits into a multi-district litigation.
Pennsylvania-based First Choice Federal Credit Union, an $18 million institution based in New Castle, and Alabama State Employees Credit Union, a $212 million institution based in Montgomery, filed similar suits against Target, claiming the retailer should compensate them for breach-related expenses.
And on Feb. 13, Wisconsin-based Integrity First Bank, an $80 million institution based in Wausau, filed a class action suit with a Wisconsin consumer against Target for compensation related to the breach.
First Choice FCU, Alabama State Employees CU and Integrity First could not be reached for comment about their suits against Target.
Will Collaboration Help?
Despite the lawsuits against Target, banking and retail associations have made strides to encourage institutions and retailers to work together (see Card Security: Banks, Retailers Collaborate).
But banking industry groups such as the American Bankers Association, the Independent Community Bankers of America and the Consumer Bankers Association also have been outspoken about how retail breaches are adversely affecting banking institutions.
David Pommerehn, senior counsel and assistant vice president of the CBA, says banking institutions have a right be compensated.
"If merchants are responsible for breaches, we believe that that re-issuance cost should be their responsibility to cover," Pommerehn says.
Viveca Ware, who oversees regulatory policy for the ICBA, says lawsuits filed by community banks and credit unions against Target are sending a message. "Community banks that have decided to sue or will sue have put a stake in the ground to say, 'We won't tolerate this,'" she says.
Credit unions are feeling the pain of breaches, too. In 2013, card re-issuance and replacement expenses following a breach cost credit unions between $5 and $15 per card, according to the National Association of Federal Credit Unions.
"Banks are highly regulated," says Steve Kenneally of the ABA says. "On the flip side, it's a lot less clear what regulations and rules and standards [merchants] have to follow and who's checking to see that they're actually doing it."