Law360, New York (December 09, 2014, 10:12 AM ET) -- In an order substantially denying Target Corporation’s motion to dismiss a data breach lawsuit filed against it, the United States District Court for the District of Minnesota made several important findings that should be important to any business that receives, collects, or uses credit cards or other sensitive customer data.
First, the court found that businesses can owe a direct duty to banks to safeguard those banks’ customers’ personal data. This finding removes a significant legal hurdle from data breach claims against businesses by issuer banks (banks that provide credit to businesses’ consumers and issue payment cards) and may dramatically increase the litigation exposure for businesses.
Second, the court found that a claimed failure by Target to act promptly upon learning of a possible breach, coupled with its having allegedly disabled certain internal security mechanisms, stated a claim for violation of this duty. This latter finding includes important insights businesses can use to help insulate themselves from liability in similar litigation, should they find themselves the subject of a data breach, highlighting the need for commercially reasonable data security plans and practices.
The Dec. 2 order substantially denies Target’s motion to dismiss a consolidated class action complaint brought against it by a number of financial institutions that allege that they were damaged by Target’s claimed negligence, negligent misrepresentation, and violations of state law relating to a massive breach of Target’s customers’ credit card information.
Specifically, the complaint alleges that during the three weeks of the busy Christmas holiday shopping season in 2013, computer hackers stole credit- and debit-card information of approximately 110 million Target customers. The instant motion to dismiss addressed only the consolidated complaint against Target brought by financial institutions. Plaintiffs to the financial institution complaint are a putative class of issuer banks whose customers’ data is claimed to have been stolen in the data breach. Among the claims asserted by the financial institutions were claims that Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data and that Target’s failure to inform the plaintiffs of its insufficient security constitutes a negligent misrepresentation by omission.
Central to Target’s motion to dismiss the negligence claims was its observation that the law generally does not impose on a defendant a duty to protect others from harm caused by a third party’s conduct (here, the hackers), absent a “special relationship” between the plaintiff and the defendant. Target argued that it owed no duty to the plaintiffs because there was no such special relationship and, under state law, a person has no duty to protect another from the harmful conduct, including criminal conduct, of a third person.
The plaintiffs responded by arguing that this case is not a third-party-harm case but rather is a straightforward negligence case: Target’s own conduct, which is alleged to include failing to maintain appropriate data security measures and turning off some of the features of its security measures, created a foreseeable risk of the harm that occurred, and the plaintiffs were the foreseeable victims of that harm. As a fallback, the plaintiffs argued that, even if this were a third-party-harm situation, the plaintiffs had adequately pled the existence of a special relationship. Surprisingly little law exists on the nature of the relationship between issuer banks and business and the common law duties owed in that relationship.
The court held that the plaintiffs had plausibly pled a general negligence case. Although third-party hackers’ activities obviously were among the factors that caused the claimed harm, the court found that the plaintiffs successfully alleged Target “played a key role in allowing the harm to occur” by purposefully disabling one of the security features that would have prevented the harm and by failing to heed certain warning signs as the hackers’ attack began. Thus, Target’s own conduct created a foreseeable risk of injury to foreseeable plaintiffs, the financial institutions. And the court found it appropriate, under the circumstances of the case, to impose a direct duty on Target to safeguard its and the plaintiffs’ customers’ data.
Imposing a direct duty on Target to safeguard the plaintiffs’ customers’ data was bolstered by the existence of a state statute, the Minnesota Plastic Card Security Act, which, among other things, governs the amount of time a business accepting electronic payments may retain certain data regarding payment transactions. However, as it relates to the negligence claim, the court’s reliance on this statute appears to be dicta; the court cited the statute as additional support for imposing a common law duty, but not as case-determinative to that imposition.
As to the plaintiffs’ negligence-by-omission claim, the court granted Target’s motion to dismiss. But that victory for Target may be Pyrrhic. The court dismissed the count only based on a finding that the plaintiffs’ inadequately plead reliance on the statement they claimed was rendered false or misleading by Target’s omission.
Notably, the court found that the plaintiffs adequately alleged the remaining elements of a material omission case. In particular, the court found sufficient the plaintiffs’ allegation that Target held itself out as having secure data systems, even though Target knew at the time it made those statements that it did not have secure systems and had taken affirmative steps to make its systems more vulnerable to attack. The court granted the plaintiffs leave to file an amended complaint within 30 days that adds sufficient allegations of reliance.
The ruling must be seen as a substantial victory for the plaintiffs. Before the order, there was a substantial question as to whether businesses, which are often several contractual steps removed from an issuer bank, owe these banks any common-law duties to protect customer data, and Target argued vigorously that it did not. The ruling rejects that argument, finding that, at least under the facts of this case, the issuer banks are foreseeable plaintiffs that have alleged a foreseeable harm. The ruling may thus have far-reaching consequences, in that it may become precedent for defining the relationship between businesses and the banks that issue credit to businesses’ customers, especially in the data breach context.
The ruling is of further importance in the data breach context because financial institutions may have larger damages claims against businesses for data breach than customers. Customers in these cases may have difficulty pointing to any already-incurred financial injury from a data breach — their information may have been stolen, but that doesn’t necessarily mean it has been used in a way that has caused pecuniary harm. Issuer banks, on the other hand, will argue they have suffered pecuniary harm in the form of expenses related to replacement customer cards, challenged customer transactions, and responses to customer complaints or concerns. Now one of the largest challenges to their seeking recompense for these claimed injuries from the borrowers — the need to establish some duties directly owed to them by businesses — has been removed, at least in the District of Minnesota.
Companies that receive, collect or use sensitive customer data should pay particular attention to the court’s emphasis on the particular facts of the alleged breaches of duty in this case. In refusing to dismiss the plaintiffs’ negligence claims, the court emphasized Target’s own conduct, pointing out Target’s claimed failure to act promptly upon learning of a possible breach and its having disabled internal security mechanisms. Companies should take away from this ruling the crucial need to create a record of reasonableness in their approach to data security, including creating a record that data security is being treated seriously at all levels of the business.
Negligence is a conduct standard, and a business that can establish commercially reasonable data security plans and practices and a commercially reasonable response to any breach may be able insulate itself from liability if a breach does occur. For example, companies should ensure that information technology to protect against breaches is operating correctly; should treat alerts and warnings, both internal and external, seriously; should maintain financial information only as long as necessary to complete transactions (and never longer than the period of time permitted by law); and should maintain current and industry-standard data security practices and breach plans.
Unfortunately, at least in the District of Minnesota, these practices may not be sufficient to win a breach case on the pleadings.
—By Josh Gunnemann, Rogers & Hardin LLP
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.