Target found negligent in data breach, argues against culpability

It's been one year since Target's (NYSE:TGT) data breach disrupted the retailer's holiday season and two current court cases could determine whether the retailer should pay both consumers and credit card companies for the losses incurred.

The Minnesota District Court on Dec. 2 found Target negligent, paving the way for lawsuits as banks and financial institutions potentially seek compensation. A second case before the same judge will decide if Target should make restitution for losses to individual shoppers affected by the breach. 

Target's data breach occurred in November and December 2013, and compromised the payment card information of 40 million shoppers and the personal information of 70 million. The culprit was a third party contractor, an HVAC professional, who inadvertently allowed hackers access to the retailer's POS network.

The court acknowledged that third-party hackers were to blame but, "Target played a key role in allowing the harm to occur," wrote Judge Paul Magnuson, according to InfoSecurity Magazine. "Indeed, Plaintiffs' allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case."

Lawyers for Target argued that the retailer had no responsibility to protect card issuers and Target had no special relationship with the issuers. There could be no basis to find Target was responsible in causing the third parties harm.

But negligence was found, thanks to Target's own choices. The retailer admittedly turned off its early warning FireEye system and ignored multiple warnings. And so, hackers infiltrated Target's poorly sequestered network.
The ruling, while opening the door for retailers to bear financial responsibility for costly data breaches, only affects those headquartered in Minnesota, or those that store data in that state.

But it does open the door for credit card issuers to seek restitution from retailers.

"Data breaches at retailers have cost credit unions and their members a minimum of $90 million—and those are the costs only for breaches at Target, for $30 million, and Home Depot, at nearly $60 million," said Credit Union National Association President and CEO Jim Nussle. "With the many other breaches that have also occurred—at Staples, Neiman Marcus and others—certainly credit unions have incurred millions more in costs this year."

Target is counting on last year's no-harm no foul ruling by the U.S. Supreme Court to dismiss the roughly six dozen lawsuits filed after the data breach was made public. Those suits are now consolidated in the Minnesota court, but may have been filed too quickly for plaintiffs to actually experience the kind of consequences needed to exhibit damage.

The cases have implications for the many other retailers that suffered data breaches this year including Home Depot (NYSE:HD).

*An earlier version of this story appeared in FierceRetail's sister publication, FierceRetailIT.

For more:
-Read the court ruling
-See this InfoSecurity Magazine story
-See this Credit Union National Association statement
-See this Bloomberg News story

Related stories:
Retail security still very much under attack
Add another to the list: Staples investigating data breach
Supervalu becomes latest data breach victim
Home Depot breach affects 56M debit, credit cards
The untold story of the Target data breach