Bank Files Unique Suit Against Target

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/bank-files-unique-suit-against-target-a-6639

Umpqua Holdings Corp. is the latest U.S. banking institution to file a
class action lawsuit against Target Corp., alleging the big-name retailer
is responsible for reimbursing card issuers for the expenses and fraud
losses they have suffered because of Target's data breach.

But the Umpqua case is a bit different.

The $11.6 billion bank filed its suit March 10 against Target, alleging
violations of the Minnesota Plastic Card Security Act. Target is based in
Minneapolis.

Cybersecurity attorney and financial fraud expert Joseph Burton says
Umpqua's reliance on the Minnesota act is unique and could prove more
fruitful than the other cases filed so far against Target.

"First it prohibits retailers doing business in Minnesota, Target's
headquarters, from retaining sensitive card stripe data after authorization
of the transaction," says Burton, who serves as managing partner for the
San Francisco office for the firm Duane Morris. "Second, it requires a
retailer who has violated this prohibition to reimburse the responsive
costs incurred by any financial institution which issued payment cards
affected by the breach of the retailer's system. While a number of states
had in the past professed an interest in passing similar statutes,
Minnesota is the only one that has done so."

Umpqua's complaint alleges that Target improperly stored card data, thus
violating compliance with the Payment Card Industry Data Security Standard
and the Minnesota statute, he says.

"All in all, the complaint does a clever and novel job of trying to tie the
PCI standards, which are really a private, contractually based requirement,
and specified state law requirements as a means of supporting a general
duty of care owed by a retailer, not only to his customer, but to anyone
else adversely impacted by that retailer's culpable behavior," Burton says.
"It will, nonetheless, likely be a tough legal row to hoe."

Privacy attorney David Navetta, co-founder of the Information Law Group and
former co-chairman of the American Bar Association's Information Security
Committee, agrees Umpqua's case won't be easy to argue. Still, he says,
"It's the first case I have seen that has listed the Minnesota Plastic Card
Security Act as a cause of action."

Navetta is curious to see if other banking institutions will follow
Umpqua's lead.

In the suits filed so far, banking institutions claim Target should be
responsible for card re-issuance and replacement expenses that have been
incurred by issuers as a result of the retailer's breach, which is
estimated to have exposed some 40 million debit and credit cards (see Suits
Against Target Make 'Statement').

Burton says he doubts any of these early suits will bear much fruit for
banking institutions; proving contractually that Target is liable for
losses is difficult.

"The cases that have been brought so far don't really offer what I would
say would be a clear theory of liability," Burton says. "I think it's going
to be a tough trail," adding that most of the cases filed so far will
likely be settled out of court.

That's because case law involving card breaches is limited, he says.

"If you look at the law, the deck is really stacked against the banks,"
Burton explains. "I am not aware of a case in which a bank has sued a
retailer in this sort of situation. That's not to say it's not possible to
have a case. But Target is the first case; and first cases, like the early
explorers, there are arrows in the back to show for it."

Card Breaches: The Case Law

Most class action suits filed by banks and credit unions in the wake of
card breaches have not involved retailers, or they have been settled,
Burton notes.

Two of the most noteworthy cases illustrate Burton's point. The 2008 class
action suits brought against Maine-based grocery chain Hannaford Brothers
for a breach it unearthed in March of that year were later settled out of
court. And that class action was brought against Hannaford by consumers,
not banks.

The second breach suit, which was filed against Heartland Payment Systems
in the wake of its 2008 breach is a little different.

Card issuers sued Heartland for recovery of expenses linked to card
re-issuance and fraud after the processor's network was hacked and an
estimated 130 million U.S. payment cards were compromised.

The case was initially dismissed. But in February 2013, card issuers filed
an appeal to reverse the lower court's decision. In September 2013, the
Fifth Circuit Federal Appellate Court favored the banks and reversed the
district court's ruling.

Navetta says the theories alleged and upheld in the Heartland case could
benefit banking institutions in their cases against Target.

"Even if they happen to participate in the card brands' fraud and operating
expense recovery programs, they recover only a portion of their
out-of-pocket losses," he says. "If they don't participate in those
recovery programs, they are left without a direct remedy in most cases."

But while the Heartland dispute was ultimately a win for the banks, the
case did not involve suing a retailer.

"Previous cases involve some other players," Burton says. "They didn't
involve banks versus retailers. ... It's a very complicated issue."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!