Passing the buck: Data breach
Passing the buck: Data breach

As the costs of the 2013 Target breach hit $252 million on its way to an estimated $1 billion, a federal judge green-lighted a lawsuit by regional banks and credit unions that could push even more of that cost onto the retail giant and set an important precedent for the payments industry.

If the December ruling by U.S. District Court Judge Paul Magnuson came as a surprise to attorneys and IT security pros alike, one sentence in his decision brought genuine shock: “Although the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur.”

Until Magnuson green-lighted the banks' lawsuit, litigation against Target seemed to be on the well-worn path established by attorneys in every massive data breach. Financial institutions often go to court to claim that a retailer had a foreseeable data security vulnerability. Since a data breach was predictable, the banks claim, merchants should therefore bear the brunt of the costs. Legal observers nevertheless expected that the court would, as usual, rule in favor of the retailer, based on the expectation that the banks would be unable to demonstrate that they absorbed any damages. 

Not this time. In fact, a coalition of financial institutions – credit unions and local and regional banks – had signaled their intention to take on Big Retail by insisting that merchants absorb more of the fallout from data breaches. If the smaller banks have their way in court, the powerful money-center banks stand to gain, too, as the lawsuit proposes to include every credit card issuer whose customers made purchases at Target in 2013.

Breach consequences

Andy Crocker, founder, Protect2020 

Andrew Braunberg, research director, NSS Labs 

Jared Carstensen, CISO, CRH 

Marcus Christian, attorney, Mayer Brown 

Mike English, executive director, product development, Heartland Payment Systems 

Kurt Hagerman, CISO, FireHost 

Tiffany Jones, chief revenue officer, iSight Partners 

Avivah Litan, vice president and analyst, Gartner 

Andrew Plato, president and CEO, 

Anitian Thomas Smedinghoff, partner, Edwards Wildman Palmer 

Stephen Treglia, legal counsel, Absolute Software

Who pays?

“I think the courts are, in effect, saying, ‘if a retailer has a duty and it breaches that duty, it is going to have to pay for the resulting damages,'” says Thomas Smedinghoff, a partner at Edwards Wildman Palmer, which in January merged with Locke Lord LLP, creating Locke Lord Edwards, a firm with more than 1,000 lawyers in 23 cities around the world. “I am seeing that the balance is definitely shifting on companies to provide reasonable security. But there is no uniform national law that says that.” 

Minnesota – Target's home state – legally defined “reasonableness” in 2007 by passing legislation that requires merchants to adhere to the Payment Card Industry Data Security Standard (PCI DSS), a private industry standard designed to compel merchants to safeguard credit card data and payment systems. “So it [the reasonableness standard] is going to come from a lot of different sources,” Smedinghoff says. “PCI, common law, contract law.” 

Stephen Treglia, legal counsel specializing in investigations at Absolute Software, the Vancouver-based provider of endpoint security products, and a former county prosecutor in the New York City suburbs specializing in cybercrime, makes a similar point. “Judges, for a long time, have said that just because you have been a victim of identity theft doesn't mean you have a loss.” Now, however, in the wake of the banks' Target lawsuit, he says, “the legal system as a whole has to think through the formal equation of what counts as damages. We are still very much in the early stages.”

It may be months before the banks' lawsuit against Target is settled. Yet the mere fact of its existence could change the balance of power between merchants and financial institutions. Others may be caught in the crossfire. “What we are seeing is that retailers are starting to sue their QSAs [qualified security assessors] to help pay for the cost of data breaches,” says Kurt Hagerman, CISO at FireHost, a Richardson, Texas-based secure cloud hosting provider.