On December 2, Target reached a settlement with banks, credit unions, and credit card issuers stemming from the massive 2013 data breach. The settlement calls for Target to pay the plaintiffs nearly $40 million—$20 million to affected banks and credit unions and $19 million to MasterCard issuers. The settlement compensates the plaintiffs—many of them community banks—for at least some of the expenses caused by Target’s data breach.
The banks began filing lawsuits against Target in early 2014, claiming that Target was negligent in storing and securing customer data. Although the banks made several claims, the central allegation was that Target violated the Minnesota Plastic Card Security Act (“PCSA”). The PCSA, passed in 2007, sets data security standards for companies that do business in Minnesota. The PCSA prohibits companies from retaining credit card information (including security code data, PIN codes, or magnetic strip data) for more than 48 hours after a transaction. A retailer that retains credit card data in violation of the PCSA is liable to banks and card issues for expenses they incur in the event of a data breach.
The Target cases were consolidated in federal court in Minnesota. Target asked the court to dismiss the lawsuits, arguing that its conduct did not violate the PCSA. Target claimed that the credit card data was stolen from the point of sale and not from its servers. Since the PCSA applies to information stored on a company’s servers, Target reasoned that the PCSA did not apply to its data breach. The court rejected Target’s argument, explaining that the banks’ complaint included allegations that at least some of the stolen data (card security codes) came from Target’s server. Following the court’s denial of Target’s motion to dismiss, the court ruled that the case could proceed as a class action lawsuit on behalf of all affected banks and card issuers. Following certification of the class action, Target settled with the banks and card issuers.
The Minnesota court’s rejection of Target’s motion to dismiss and Target’s subsequent decision to settle the lawsuits signals that retailers could be liable to banks in the event of a data breach. It is difficult to read broadly into the Target case because it was based specifically on the PCSA. Although the PCSA applies to any company conducting business in Minnesota, it is unclear whether a court would be willing to impose nationwide liability on a company that, unlike Target, is headquartered in another state and only conducts a small portion of its business in Minnesota. A few other states have laws similar to the PCSA, but most states (including Texas, which failed in its attempt to pass a similar law) do not. While we will have to wait to see the full impact of the Target case, the settlement is welcome news for banks, which can spend millions of dollars reissuing credit and debit cards after a major data breach. Indeed, bank trade groups estimated that their members incurred expenses exceeding $200 million as a result of the Target data breach. Going forward, banks may be able to recover some or all of their losses from retailers that experience data breaches.