MINNEAPOLIS (11/24/14)--The attorney for retail giant Target Corp. told a U.S. District judge Friday to dismiss the lawsuit brought against it by financial institutions for the losses they incurred after Target's data security breach last December.
The breach compromised 40 million debit and credit card numbers and the personal information of as many as 70 million customers.
In filing the motion to dismiss, Douglas Meal told U.S. District Judge Paul Magnuson that Target had no legal obligation to protect the financial institutions--which include $286 million-asset CSE FCU, Lake Charles, La.--because there was no "special relationship" between the parties.
Magnuson didn't rule.
The lawsuit is playing out as representatives from financial organizations, including the Credit Union National Association, are pressing Congress to take action to hold retailers more accountable for data security breaches and to bring them under the same privacy standards as financial institutions with regard to financial data, Ars Technica reported (Nov. 22).
A survey by CUNA found that as a result of the Target breach, credit unions experienced 4.6 million compromised cards, leading to about $30.6 million in related costs.
Karl Cambronne, who is representing the financial institutions, told Magnuson that the Minnesota Plastic Card Security Act requires Target to guard against a possible breach. The law prohibits the retailer from retaining some personal data after a sale, Cambronne said (Bloomberg Nov. 21).
"We reject the notion that this case is all about the obvious, that is, the bad guys hacked into the system," Cambronne said. "Twice the Visa and MasterCard system had warned Target this malware is out there and you are not protected from it."
Target contends the plastic card law does not apply because the data theft happened at the point of sale.