Data Breach Litigation – Financial Institutions Score Another Shot

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/data-breach-litigation-financial-insti-49488/

Previously I wrote about banks joining the legal battle over data breaches.
Anyone not living under a rock knows that there is multidistrict class
action litigation involving Target’s massive data breach[1]in December 2013
(“Target MDL”). It is not as well known that in the Target MDL there are 3
different categories of class action cases: (1) Bank Cases, (2) Consumer
Cases, and (3) Shareholder Cases.

In the Bank Cases, the plaintiffs contend that Target (i) was negligent in
failing to provide sufficient security to prevent the hackers from
accessing customer data, (ii) violated Minnesota’s Plastic Security Card
Act (“PSCA”), (iii) its violation of the PSCA constitutes negligence per
se, and (iv) its failure to inform the Banks of its insufficient security
constitutes a negligent misrepresentation by omission.

Recently the Bank scored an initial victory when the court denied Target’s
motion to dismiss on the claims of negligence, violation of the PSCA, and
negligence per se.

Target attacked the negligence claim primarily based on the argument that
the Banks failed to sufficiently allege that Target owed them a duty. The
court didn’t buy it. It ruled that the Banks adequately pled that Target
owed them a duty of care finding that Target played a key role in allowing
the third-party hackers’ harm to occur. Key to the court’s ruling is that
Target purposely disabled one of the security features that would have
prevented the harm itself, i.e., Target’s own conduct created a foreseeable
risk of injury to a foreseeable plaintiff. This ruling could have a ripple
effect in the Consumer Cases and Shareholder Cases against Target.

Further discussing the duty Target owed to the Banks, the court, in dicta,
states that institutional parties to credit- and debit-card transactions
have already voluntarily assumed duties toward one another. This could have
a tremendous ripple effect in a variety of data breach lawsuits filed by
banks.

Interestingly, Target did not argue that the Banks failed to plead
injury/damages arising from the data breach, which is the usual attack on
consumer data breach lawsuits.

This ruling makes it even more important for businesses to preventatively
plan for a data breach, particularly for businesses who conduct credit- and
debit-card transactions. Important in any cyber security plan is a risk
assessment of the data security system, which should be performed by a
third party vendor and not internal IT. You should know now – not later –
if any data security features have been disabled.

[1] As the court described the data breach in its Memorandum and Order,
“over a period of more than three weeks during the busy Christmas holiday
shopping season, computer hackers had stolen credit- and debit-card
information for approximately 110 million of Target’s customers.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!