When hackers steal consumer data, injury to consumers is not a foregone conclusion.  This is particularly so where credit and debit card numbers are stolen.  Banks, not consumers, bear the cost of fraudulent charges.  Consumers’ credit ratings are unaffected by such charges, and stolen payment card numbers cannot be used to steal consumers’ identities.   As a result, it can be difficult for consumers in payment card data breach cases to prove damages or injury. Continue Reading Ruling Vacating Target Consumer Class Settlement Highlights The Problem Of Standing In Data Breach Cases

Card-issuing banks are forging ahead with their lawsuit against Target arising from the 2013 holiday shopping season data breach.  Their July 1 motion for class certification has just been unsealed, allowing a glimpse at plaintiffs’ version of the events during November and December 2013 that resulted in theft of payment card data for 40 million Target customers.

The Target data breach occurred after hackers were able to compromise the security of a Target refrigeration vendor.  The vendor’s log-in credentials to the Target computer system provided a portal to infiltrate Target and install malware on point-of-sale (“POS”) terminals that was used to record and steal customers’ card data.  In their class certification motion, the banks focus heavily on Target’s alleged data security failings.  They claim that Target retained unencrypted card data, disregarded warnings about malware targeting POS terminals, disabled security features that purportedly would have detected the POS malware, ignored alerts generated by its malware detection software, and failed to audit the vendor’s data security practices.  Little in the allegations is new, but the allegations are calculated to demonstrate that Target acted negligently in a fashion that consistently and adversely affected the entire putative class of card issuer banks.

To certify their proposed nationwide class, the card issuers will have to establish that choice of law principles allow application of Minnesota law to card-issuing banks located in all 50 states.  Were the court to find that each bank’s claim is subject to the law of its state in which it is chartered or has its principal place of business, the numerous and substantial differences in the laws of those states could preclude adjudication of all of the banks’ claims in a single class.

Otherwise, the linchpin of plaintiffs’ argument is that this case should be tried as a class action because all of the banks suffered common harms arising from the regulatory requirements that apply to compromised cards, including costs associated with card cancellation, notice to customers, account monitoring activity, and refunds for fraudulent charges.   Plaintiffs fail, however, to address predominance issues associated with the inability to determine whether fraud losses on compromised cards arose from the Target breach, or from theft of the card data somewhere else.  In In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D 389 (D. Mass. 2007), the court held that endemic fraud levels in the payment card industry made it impossible to determine with any certainty which losses result from a data breach, thereby requiring individualized proceedings on damages that preclude class certification.  Plaintiffs allege that their expert can accurately calculate which fraud losses were attributable to the Target breach.  It is likely that Target’s opposition papers have focused on this issue and will contest the ability to trace fraud losses to the Target breach.

Finally, plaintiffs’ papers ignore the question of whether resolution of claims in the federal court is superior to use of the Visa and MasterCard dispute resolution processes.  Although the recently-announced Visa settlement had not been finalized as of the July 1 filing of plaintiff’s motion papers, the earlier unsuccessful attempt to resolve claims through the MasterCard settlement process plainly demonstrates the availability of that process to resolve card issuer data breach claims.  Plaintiffs make no attempt to address that issue either.  Given their conclusion of the Visa settlement and renewed attempts to pursue a MasterCard settlement, Target is likely to argue that the availability of such processes mean a federal court class action does not afford a superior mechanism to resolve the claims of card-issuer banks.

Target’s opposition to the class certification motion was filed on August 5 but, like plaintiffs’ motion papers, was filed under seal.  Target’s papers will not be available to the public until redactions can be made to avoid disclosure of commercially sensitive information.

Target has announced that it has entered into a settlement with Visa to resolve claims of issuers of Visa credit and debit cards arising from Target’s November 2013 data breach.  The proposed settlement will pay issuers of Visa payment cards up to $67 million to reimburse losses associated with the theft of card numbers from Target POS terminals.  Unlike an earlier proposed $19 million settlement with MasterCard, the Visa settlement does not require card issuer approval.  The MasterCard settlement agreement terminated in May 2015 for failure to gain the required approval of issuers of 90% or more of the affected cards.  Additional details of this settlement will follow as they become available.

 

In the wake of Target’s April 15 announcement of a private $19 million settlement of the data breach claims of MasterCard-issuing banks, counsel representing the putative card issuer class in the consolidated Target data breach litigation moved to enjoin the proposed settlement, arguing that it is an improper end-run around the Minnesota federal court’s adjudication of card issuer claims.  Target has responded that the settlement appropriately uses dispute resolution processes in MasterCard’s operating agreements to address breach-related losses, and employs a process that has been endorsed by other federal courts in prior data breach cases.  The motion awaits action by Judge Magnuson, who is presiding over the consolidated cases pending against Target. Continue Reading Target and Card Issuers Dispute Use of MasterCard Settlement to Resolve Data Breach Claims

Written by Kevin Mc Ginty

Federal District Judge Paul Magnuson has ruled that banks that issued credit and debit cards to customers whose data was stolen in the December 2013 Target data breach could continue to litigate claims against Target for negligence and violation of Minnesota’s Plastic Security Card Act (“MPCSA”), Minn. Stat. § 325E.64.  The claims of the issuer banks originated in multiple lawsuits that were among the 71 separate actions filed nationwide that the federal Judicial Panel on Multidistrict Litigation consolidated for pretrial proceedings in the District of MinnesotaThe December 2 ruling is significant both for its conclusion that Target owed a duty of care to issuer banks with respect to data security and for its rejection of Target’s argument that the MPSCA should not apply to all Target transactions nationwide, but instead should be limited to transactions that occurred in Minnesota stores.  The decision does not, however, eliminate challenges that the issuer banks are likely to face both with respect to proving their allegations and obtaining certification of a plaintiff class.

Continue Reading Issuer Banks’ Claims in Target Data Breach Litigation Survive Motion to Dismiss

Happy Cinco de Mayo!

Breaking news this Privacy Monday:  The fallout from the massive Target Corporation data breach continues.  This morning, the Target board announced that Chief Executive Officer Gregg Steinhafel has resigned effective immediately.  The company has appointed Chief Financial Officer John Mulligan as interim president and chief executive.  Steinhafel spent 35 years with Target, and both his resignation letter and the board’s statement reference the data breach.  Steinhafel:  “The last several months have tested Target in unprecedented ways.”   The board:  “Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company. We are grateful to him for his tireless leadership and will always consider him a member of the Target family. ”

Read more:   USA Today

Forbes

Time

A commercial interruption from Privacy & Security Matters:  Today, we start a new 5-part series – “Cyber Risks – Director Liability and Potential Gaps in D&O Coverage”   Make sure to check back later today and every day this week!

Sally Beauty CEO to Step Down

Steinhafel is not the only CEO hitting the bricks at a company following a data breach.   Sally Beauty CEO Gary Winterhalter will resign effective April 30, 2015.  The company was criticized for its handling of a recent data breach exposing credit and debit card data of customers.

AOL Admits Data Breach and Advises Users to Update Passwords

Details were few, but AOL did finally ‘fess up to a data breach that apparently allowed spammers to take control of user accounts and send massive amounts of spam through those accounts.   AOL recommended that users change passwords.   No other details were released regarding how long the breach had been ongoing.

 

And, we’ll leave you with Things you May Not Know About Cinco de Mayo