By:Â Geoff Wills
On December 19, 2013, Target Corporation confirmed that it was aware of unauthorized access to payment card data impacting any Target customer that made credit or debit card purchases in its U.S. stores.[1] The data breach occurred between November 27, 2013 and December 15, 2013.[2] Target’s press released acknowledged that approximately 40 million credit and debit card accounts might have been impacted.[3] As news broke and the issue was investigated, that number has now increased to 70 million customers, and includes online shoppers.[4] The cyber attack on Target is the second-largest retail cyber attack in history, and has resulted in investigations by state prosecutors and Attorneys general.[5] It has also resulted in numerous complaints filed across the country by individuals, all vying for the ever-elusive “class action†status.[6]
The hackers—who are still unknown and at large—stole personal information from a database comprised of names, addresses, telephone numbers, and email addresses.[7] All of this information, which was obtained through the magnetic strip in debit and credit cards, could allow false magnetic strip credit cards to be made, creating the potential for 70 million new cases of identity theft. This emerging crime is big business: it cost 13.3 billion dollars in 2010, and impacted seven percent of the nation.[8] So what can be done, both legally and personally, to prevent or remedy this?
To prevent the likelihood of a data breach, one technology that could be used in the United States is the use of EMV chips in debit and credit cards.[9] EMV, named after it’s founders—EuroPay International, Mastercard, and Visa has become the standard in the rest of the world. EMV is a small computer chip embedded within a card, making for a more secure card.[10] The biggest reason EMV technology has yet to be the standard in debit card and credit cards in the United States is cost.[11] A card equipped with EMV costs roughly three times as much to make as a non-EMV equipped chip.[12] This added cost would cost financial institutions more up front, but could go a long way in providing peace of mind and instilling confidence in their customers.
Unfortunately for the victims of this most recent breach, it is too late to prevent the identity theft. Victims of this crime are now turning toward the legal system to remedy their harm. Dozens of lawsuits seeking class-action status have already been filed, primarily alleging that Target was negligent in its handling of card data.[13] While these cases are likely to put pressure on Target to settle out of court, courts have been reluctant in the past to find for plaintiff’s in similar cases due to the struggle to show privacy loss led to financial loss.[14] Target is also being pro-active in the matter, providing credit monitoring to impacted customers, as well as public assurances that victims of this fraud will not be financially responsible.[15] Target is likely to face state and federal investigations. Multiple Attorneys general, including Rhode Island Attorney General Peter F. Kilmartin, have already sent letters to Target’s headquarters requesting information on the security breach.[16]
Looking in the past to similar cases shows how reluctant courts have been to hold retail stores liable for security breaches that have caused identity theft. In Banknorth, N.A. v. BJ’s Wholesale Club, Inc., a federal court dismissed all claims against BJ’s.[17] This case was not filed by impacted customers, but by an impacted financial institution. In Banknorth, plaintiffs filed suit after third parties hacked into computer files maintained by BJ’s that resulted in confidential customer information being used for identity theft.[18] Plaintiffs alleged three claims, including breach of contract, negligence, and equitable subrogation.[19] Focusing on the negligence claim, Banknorth alleged that BJ’s breached their duty of care by retaining customer information and failing to protect it, and that such negligence caused unauthorized third parties to obtain customer information for fraudulent purposes.[20] The court refused this negligence claim, citing the economic loss rule.[21] Because the alleged negligence only resulted in economic loss and no physical harm, BJ’s had no liability.[22] As in Banknorth, the economic loss rule could have large implications for deciding upcoming cases filed by victims of the Target data breach.
The consequences of this tremendous data breach are likely to be far-reaching, and could have significant implications in how customer information obtained by credit and debit cards is stored and used. As society moves increasingly toward cashless transactions, keeping personal data secure and confidential will become even more important, and the battle will wage on between security and hackers. Due to past decisions and the economic loss rule, it is likely that the best method to fix this large issue rests in the hand of congress and governmental regulation, and not in continuous, ongoing legislation. This would also be a better mechanism for change as most claims involving multiple plaintiffs and large corporations are likely to never reach litigation, as many are settled out of court in an effort to maintain brand recognition. Look for many more significant data breaches in the upcoming future, and don’t forget to always be on the lookout for identity theft.
[1] Press Release, Target Corp., Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores (Dec. 19, 2013), http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores. (Last visited January 15, 2014).
[2] Id.
[3] Id.
[4] Paul Ziobro, Target Now Says 70 Million People Hit in Data Breach, Wall St. J. (Jan. 10, 2014, 8:36 PM), http://online.wsj.com/news/articles/SB10001424052702303754404579312232546392464.
[5] Target Data Breach Hits at Least 70 Million Customers, Chi. Trib. (Jan. 10, 2014, 7:27 PM), http://www.chicagotribune.com/business/breaking/chi-target-data-breach-affected-70-million-customers-20140110,0,621285.story. (Last visited January 15, 2014).
[6] Katie Mulvaney, Kilmartin Seeks More Information From Target Corp. on Massive Security Breach, Providence J. (Dec. 31, 2013, 10:12 PM), http://www.providence journal.com/breaking-news/content/20131231-kilmartin-seeks-more-information-from-target-corp.-on-massive-security-breach.ece; Joel Rosenblatt, Target Sued by Shopper Over Data Security Breach Claims, Bloomberg L. (Dec. 20, 2013, 1:06 AM), http://about.bloomberglaw.com/legal-news/target-sued-by-shopper-over-data-security-breach-claims/.
[7]Â Paul Ziobro, supra note 4.
[8] Jeff Sovern, How Common is Identity Theft?, Consumer L. and Pol’y Blog, Nov. 16, 2012, http://pubcit.typepad.com/clpblog/2012/11/how-common-is-identity-theft.html.
[9]Â Elizabeth Dexheimer, Target Breach Spurs Push for Anti-Fraud Card Technology, Bloomberg News (Jan. 15, 2014, 12:00 AM), http://www.bloomberg.com/news/2014-01-15/target-breach-spurs-push-for-anti-fraud-card-technology.html.
[10] Id.
[11] Id.
[12] Id.
[13] Joel Rosenblatt, supra note 6.
[14] Jacob Gershman, Target’s Breach is Bigger Than Though, But Legal Exposure is Uncertain, Wall St. J. L. Blog (Jan. 10, 2014, 6:11 PM), http://blogs.wsj.com/law/2014/01/10/targets-breach-is-bigger-than-thought-but-legal-exposure-is-uncertain/.
[15] Id.
[16] Katie Mulvaney, supra note 6.
[17] See Banknorth, N.A. v. BJ’s Wholesale Club, Inc., 442 F.Supp.2d 206 (M.D. Pa. 2006).
[18] See Id.
[19] Id. at 208.
[20] Banknorth, 442 F.Supp.2d at 208.
[21] Id.
[22] Id. at 211.