Judge's denial to dismiss Target case encouraging, CUNA says

December 3, 2014

ST. PAUL, Minn. (12/4/14)--A federal judge has denied a motion by Target to dismiss the lawsuit against the company as a result of last year's data breach--a move that is encouraging to the Credit Union National Association.

U.S. District Court Judge Paul Magnuson said Tuesday that three of the four counts in the plaintiff's complaint against Target will stand.

Click to view larger imageA look at the costs to credit unions as a result of the Target data breach. (CUNA Graphic)

According to Magnuson's ruling, "Plaintiffs have plausibly pled a claim for negligence, a violation of the [Plastic Card Security Act], and negligence per se. Plaintiffs failed to plead reliance, however, and therefore their negligent misrepresentation claim must be dismissed without prejudice."

CUNA General Counsel Eric Richard said the decision is a positive development that is encouraging to the trade association.

"Although any recovery for credit unions from this litigation remains uncertain and potentially years away, we are glad the court understands the basic reality that merchants owe a duty of care to financial institutions," he said. "CUNA will continue to work with litigators across the country to pursue every legal avenue for credit unions as a result of the failure of merchants to safeguard the data of their customers."

The plaintiffs, which include $286 million-asset CSE FCU, Lake Charles, La., have claimed Target:

  • Was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data;

  • Violated Minnesota's PCSA, which states that "Whenever there is a breach of the security of the system of a person or entity that has violated this section ... that person or entity shall reimburse the financial institution that issued any [credit or debit cards] affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach;

  • Was negligent by violating the PCSA; and

  • Failed to inform plaintiffs of its insufficient security, which constitutes a negligent misrepresentation by omission.

Attorney Craig Newman, who advises on data security issues, told The Hill Wednesday that the ruling "is one of the first decisions that clarifies the legal muddle" between retailers and financial institutions, adding that the ruling means these institutions "won't necessarily be left holding the bag."

Target's data security breach, which occurred one year ago, compromised 40 million debit and credit card numbers and the personal information of as many as 70 million customers.

"With the holiday spending season under way, the potential for another massive breach like last year's Target violation is on the horizon," said Jim Nussle, CUNA's president/CEO. "Nothing is being done to quell these breaches on the retailers' end, nor are retailers like Target reimbursing credit unions for the losses credit unions suffered due to insufficient merchant data security standards.

"One year later, credit unions still haven't received anything in reimbursements from the store chain--and that really stings."

Stop the Data Breaches

Identity Theft: Who’s Got Your Number? electronic member seminar kit

Anytime Adviser ID Theft coach

Lock Down Your Smartphone drive-up envelope

Stickley on Security

Awareness Technologies/CUNA Strategic Services

DH Compushare/CUNA Strategic Services

SilverSky/CUNA Strategic Services

TraceSecurity/CUNA Strategic Services