Holding retailers accountable for bank losses caused by data breaches

Data breaches have become an all-too-common occurrence, with headlines announcing a new data breach nearly every week. While the impact of a data breach on consumers has been widely reported, the media often overlooks the impact on banks. When a data breach occurs, banks are on the hook for the costs of reissuing cards, notifying customers, and monitoring accounts for fraud. By some estimates, that costs around $8 per customer card. In large-scale data breaches such as the Target and Home Depot data breaches, that means hundreds of millions or even billions of dollars in bank losses. Instead of absorbing all of these costs, banks have started to fight back to hold retailers responsible for losses caused by a retailer’s lax data security.

Following recent large data breaches, banks have filed class action lawsuits against the retailers responsible for the data breach. For example, after the Target data breach, banks banded together to sue Target for negligence and violations of Minnesota law relating to credit card security practices. In December 2014, Judge Paul Magnuson denied Target’s motion to dismiss the lawsuit and ruled that Target owed a duty to banks to protect the confidential credit and debit card information of their customers. In December 2015, Target settled with the banks for nearly $40 million.

After the Home Depot data breach, banks and credit unions filed a class action lawsuit against Home Depot. Last week, Atlanta federal Judge Thomas Thrash denied Home Depot’s motion to dismiss the case. Judge Thrash explained:

The Court declines [Home Depot’s] invitation to hold that it had no legal duty to safeguard information even though it had warnings that its data security was inadequate and failed to heed them. To hold that no such duty existed would allow retailers to use outdated security measures and turn a blind eye to the ever-increasing risk of cyber attacks, leaving consumers with no recourse to recover damages even though the retailer was in a superior position to safeguard the public from such a risk.

As these cases make clear, banks may be able to recover some of their losses caused by the negligent security practices of retailers who are entrusted with debit and credit card data.  Banks should consult with their legal counsel immediately following a data breach to determine what options they may have to recover their losses from the responsible party.