Target case could 'alter the distribution' of security breach risk between retailers and card issuers, says expert

Out-Law News | 05 Dec 2014 | 5:31 pm | 3 min. read

A forthcoming legal battle between banks and US retail giant Target could result in a change to the liabilities accepted by banks and retailers when there is a major payment card security breach, an expert has said.

Earlier this week, a US district court judge in Minnesota (16-page / 64KB PDF) gave several financial institutions permission to proceed with a case they have brought against Target. The case relates to the fallout from a hacking attack on Target last year which resulted in approximately 110 million of its customers' personal data being stolen. The credit and debit card details of approximately 40m of those individuals were compromised in the attack.

Banking litigation specialist Michael Isaacs of Pinsent Masons, the law firm behind Out-Law.com, said that whilst the fraud risks in transactions are allocated by contract between the parties involved, some costs are taken by the card issuer – notably the cost of cancelling and re-issuing cards to customers affected by the theft of their details. Card issuers face costs estimated at $400m to replace payment cards as a result of the incident, according to a report by the New York Times.

The financial institutions have claimed that Target "was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data", and that the company violated Minnesota laws on payment card data security. They claimed that the violation of those laws also demonstrated that Target had acted negligently and that the retailer's "failure to inform" them of "its insufficient security" was a "negligent misrepresentation" on its part. Consumer groups are also suing Target in relation to the attack, claiming that the retailer had played a role which had allowed the hacking to occur; for example by ignoring warnings from its security systems, and turning off some of their own security measures.

The US judge accepted that the banks’ claim that Target had been negligent was sufficiently arguable to merit the case going to a full trial, and dismissed Target's bid to have the case against it thrown out.

"Whilst this is an interlocutory decision of a US district court using Minnesota law, card issuers, including banks, will be looking at this case with interest," Isaacs said. "The distribution of risk in card transactions between the card issuer, the merchant and merchant acquirer could well be altered if the financial institutions succeed to any degree."

Isaacs explained that, as in English law, Minnesota law suggests that one person has no duty to protect another from the criminal conduct of a third party, unless there is a "special relationship" between them. However, he said the US judge had agreed that it is at least arguable that Target was under a duty of care to the financial institutions and that it had breached this duty.

The US judge said that Target has an arguable case to answer that its own conduct created "a foreseeable risk of injury" to the financial institutions. Isaacs said the finding was interesting because of there are similarities between what English law and Minnesota law say on the issue of when a duty of care exists.

"Two of the requirements of Minnesota law of ‘foreseeability of harm’ and a connection between Target’s conduct and the injury suffered are akin to the ‘neighbour principle’ that will be familiar to English lawyers," Isaacs said. "The English law principle is that one needs to take reasonable care to avoid acts or omissions which one can reasonably foresee would be likely to injure someone that is so closely and directly affected by one’s act that one ought reasonably to have them in contemplation."

However, Isaacs issued a note of caution about the significance of the US court's ruling. He said that, in deciding whether to reject Target's motion to dismiss the case put forward by the financial institutions against it, the judge had to assume that the financial institution's assertions of facts were correct, and determine whether there was a case, on the face of it, for Target to answer.

"It is rather like defeating an application to strike out a case in the English courts,” said Isaacs. "It does not mean that the case will succeed – it simply means that it is arguable and not hopeless. It was also notable that Target did not contest causation of loss, which you would have to think is a major trial issue given that a third party fraudster is involved.”

Isaacs said, though, that it was "of itself significant" that the financial institutions had persuaded the judge to “allow them to pursue their case against a fellow victim of crime on the basis that it had failed to protect not just itself but other parties". He said the case, as it develops, will be of interest to both card issuers and retailers.