As the costs of the 2013 Target breach hit $252 million on its way to an estimated $1 billion, a federal judge green-lighted a lawsuit by regional banks and credit unions that could push even more of that cost onto the retail giant and set an important precedent for the payments industry.

If the December ruling by U.S. District Court Judge Paul Magnuson came as a surprise to attorneys and IT security pros alike, one sentence in his decision brought genuine shock: “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur.”

Until Magnuson green-lighted the banks’ lawsuit, litigation against Target seemed to be on the well-worn path established by attorneys in every massive data breach. Financial institutions often go to court to claim that a retailer had a foreseeable data security vulnerability. Since a data breach was predictable, the banks claim, merchants should therefore bear the brunt of the costs. Legal observers nevertheless expected that the court would, as usual, rule in favor of the retailer, based on the expectation that the banks would be unable to demonstrate that they absorbed any damages. 

Not this time. In fact, a coalition of financial institutions – credit unions and local and regional banks – had signaled their intention to take on Big Retail by insisting that merchants absorb more of the fallout from data breaches. If the smaller banks have their way in court, the powerful money-center banks stand to gain, too, as the lawsuit proposes to include every credit card issuer whose customers made purchases at Target in 2013.

OUR EXPERTS:
Breach consequences

Andy Crocker, founder, Protect2020 

Andrew Braunberg, research director, NSS Labs 

Jared Carstensen, CISO, CRH 

Marcus Christian, attorney, Mayer Brown 

Mike English, executive director, product development, Heartland Payment Systems 

Kurt Hagerman, CISO, FireHost 

Tiffany Jones, chief revenue officer, iSight Partners 

Avivah Litan, vice president and analyst, Gartner 

Andrew Plato, president and CEO, 

Anitian Thomas Smedinghoff, partner, Edwards Wildman Palmer 

Stephen Treglia, legal counsel, Absolute Software

Who pays?

“I think the courts are, in effect, saying, ‘if a retailer has a duty and it breaches that duty, it is going to have to pay for the resulting damages,’” says Thomas Smedinghoff, a partner at Edwards Wildman Palmer, which in January merged with Locke Lord LLP, creating Locke Lord Edwards, a firm with more than 1,000 lawyers in 23 cities around the world. “I am seeing that the balance is definitely shifting on companies to provide reasonable security. But there is no uniform national law that says that.” 

Minnesota – Target’s home state – legally defined “reasonableness” in 2007 by passing legislation that requires merchants to adhere to the Payment Card Industry Data Security Standard (PCI DSS), a private industry standard designed to compel merchants to safeguard credit card data and payment systems. “So it [the reasonableness standard] is going to come from a lot of different sources,” Smedinghoff says. “PCI, common law, contract law.” 

Stephen Treglia, legal counsel specializing in investigations at Absolute Software, the Vancouver-based provider of endpoint security products, and a former county prosecutor in the New York City suburbs specializing in cybercrime, makes a similar point. “Judges, for a long time, have said that just because you have been a victim of identity theft doesn’t mean you have a loss.” Now, however, in the wake of the banks’ Target lawsuit, he says, “the legal system as a whole has to think through the formal equation of what counts as damages. We are still very much in the early stages.”

It may be months before the banks’ lawsuit against Target is settled. Yet the mere fact of its existence could change the balance of power between merchants and financial institutions. Others may be caught in the crossfire. “What we are seeing is that retailers are starting to sue their QSAs [qualified security assessors] to help pay for the cost of data breaches,” says Kurt Hagerman, CISO at FireHost, a Richardson, Texas-based secure cloud hosting provider.

Retailers are fighting back

More tensions, conflict and maneuvers around these issues are likely in the months ahead as cybercrooks keep at it, says Marcus Christian, a Washington, D.C.-based attorney with Mayer Brown, an international law firm. “Right now you have a situation where it is hard to get your arms around the risk,” says Christian. “Even cyber-insurers don’t have the long history where they will be able to calculate what the losses will be” in the event of a breach.”

Soon after his ruling on the banks’ lawsuit, Judge Magnuson also refused to dismiss a separate lawsuit filed against Target by consumer groups. The C-suite is taking note, says Jared Carstensen, CISO at the international construction firm CRH, and a leading member of the Irish chapter of ISACA. “The liability lawsuits and the loss of customers is shifting the mindset.” 

The retailers are fighting back. Big merchant groups claimed that it is retailers who actually absorb the costs of breaches by, among other things, paying for credit card reissuance under the terms of their contracts with Visa and MasterCard.

Moreover, if the banks have a beef with their fraud and data breach costs, they have only themselves to blame for their failure to upgrade credit cards to chip-and-pin EMV technology, says Avivah Litan, vice president and analyst at Gartner, the Stamford, Conn.-based consulting firm. They had plenty of time to pay for it as a group when the technology became available eight years ago, she says. “There is a collective responsibility. Banks are more responsible than the retailers because they should have upgraded the technology.”

Amid this controversy, IT security vendors must work customers on all sides – and not just to find the right technology, says Andrew Plato, president and CEO of Anitian, a Beaverton, Ore.-based provider of security, compliance and risk management solutions. “People have technology fatigue,” he says. What’s needed, he contends, are the development systems and processes to assess and manage risk, and to clearly establish liability through contracts. 

Tiffany Jones (right), chief revenue officer for iSight Partners, a Dallas-based provider of threat intelligence services, makes a similar point. “If bad guys want to get in and they’re highly sophisticated, they will find a way to do that,” she says. “But if an organization or a company has taken reasonable steps in terms of security architecture and best practices, and have met that reasonableness standard, there needs to be some hearty discussion as to where those organizations are still liable.”

Yet, assessing cybersecurity risk – and deciding which party must take on that risk when contracts are signed – remains difficult, says Andrew Braunberg (left), a research director at NSS Labs, the Austin, Texas-based research firm. There is potentially a shift in the landscape in which merchants may have greater liability, he says. But the issues will likely linger until insurance companies can amass better information. “Let them drive best practices based on actual breach data,” he says. 

In this current environment, CISOs and other data security specialists involved in payments will need patience and a long-term perspective, says Mike English, executive director, product development at Princeton, N.J.-based Heartland Payment Systems. “Even merchants and businesses that implement EMV still need to maintain PCI,” he says. “We are not going to see mag stripe go away any time soon.”

While the financial institutions and merchants battle it out in court, the data security industry is attempting to meet the needs of both camps by offering encryption and tokenization technology, English says. “When people implement EMV solutions, the vast majority are migrating to encryption and tokenization at the same time.” That technology, he says, “is going to decrease the number and severity of breaches, fines and assessments we see in the U.S.”

In the meantime, the breaches keep coming – and whatever technology is in place, the question of who pays may well be decided in a Minnesota courtroom.