ST. PAUL, Minn. (CN) - A federal judge declined to dismiss negligence claims filed against retail giant Target by banks and credit unions in the wake of a massive consumer data breach.
U.S. District Court Judge Paul Magnuson dismissed just one of four consolidated claims by financial institutions, who maintain Target negligently failed to protect consumer data from hackers in 2013.
Data from as many as 70 million credit and debit cards used at Target stores were compromised during the holiday shopping season, with hackers making off with names, credit card numbers, security codes and expiration dates.
After the breach was discovered, Target offered cardholders a year's free subscription to a credit monitoring and identity protection service, and also said it would not hold customers responsible for fraudulent charges.
Nevertheless, scores of lawsuits followed, initiated both by consumers and financial institutions. Judge Magnuson's decision pertains only to the claims filed by the latter, who claim they bear the cost of replacing compromised cards and absorbing fraudulent charges.
Target moved to dismiss the institutions' claims it failed to provide adequate data protection, violated Minnesota's Plastic Security Card Act and failed to inform them of its "insufficient security." The retailer claims the plaintiffs "failed to plead sufficient facts" to support their claims.
With the exception of the negligence-by-omission claim, Judge Magnuson sided with the banks.
"At this preliminary stage of the litigation, Plaintiffs have plausibly pled a general negligence case," he writes. "Although the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur."
According to the order, the plaintiffs allege Target disabled a layered security feature that could easily have prevented the breach.
"Imposing a duty on Target in this case will aid Minnesota's policy of punishing companies that do not secure consumers' credit- and debit-card information," Magnuson writes.
Target also unsuccessfully argued the Plastic Security Card Act claims are invalid because they apply only to transactions in Minnesota and address data retention rather than the point-of-sale data harvesting characteristic of this breach.
"Target's first argument is not well taken," Magnuson writes. "The PCSA does not discriminate between in-state and out-of-state transactions or economic interests. Rather, it applies only to Minnesota companies' data security practices and does not purport to regulate the practices of any non-Minnesota company. And it applies equally to the Minnesota companies' data retention practices with respect to in-state and out-of-state transactions."
Further, part of the breach allegedly involved storing stolen credit card data on Target servers for six days before sending it to the hackers, the order states. This constitutes retained data and renders Plastic Security Card Act claims valid, according to the order.
But when it came to the plaintiff's negligent misrepresentation claim, Magnuson held they failed to show they reliance to support the claim.
The financial institutions have 30 days to file an amended complaint showing reliance to support their negligence-by-omission claim, the order states.