Targeting Target: Bank seeks a remedy for Target's security related losses

On January 13, 2014, Connecticut based Putnam Bank (Putnam) filed a class action lawsuit against Target Corporation (Target) for losses resulting from  well publicized data security breaches at Target in 2013. Putnam seeks to represent a class of other similarly situated financial institutions who will suffer damages as a result of the 110 million credit and debit cards that were compromised by an apparent breach of Target's information security.   The complaint, filed in the United States District Court for the District of Minnesota, claims Putnam and other banks have suffered damages as a result of Target's 'misrepresentations, unfair and deceptive acts and practices, negligence, breach of contract, and improper retention of certain customer confidential information with respect to the data security breach.' The complaint points out that even Target publicly acknowledges that credit card numbers, expiration dates, the CVV security codes, customer names, mailing addresses, phone numbers, and email addresses were all stolen. Putnam claims that Target waited four weeks after the security breach to begin notifying customers. Even then, according to the complaint, Target sent out notices only after a 'respected security blogger' publicized the breach on December 18, 2013. That security blogger was Brian Krebs, of Krebs On Security, who relied upon and identified multiple sources before making the news public. According to Mr. Krebs, Target customer accounts stolen by thieves 'have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card.' At stake for Putnam and other banks is the threat of reimbursing customers, reissuing cards, and incurring related costs without receiving any compensation from Target.  Putnam claims that Target should ultimately be responsible because Target failed to comply with credit card operating regulations and security standards that require safeguarding customer information. Putnam is seeking money damages, injunctive relief requiring Target to no longer improperly store and retain customer information, and attorneys' fees and costs. Putnam also seeks to have the money damages trebled due to Target's 'willful and knowing violations' of a Minnesota statute prohibiting deceptive acts. This case has a long way to go, and many issues must be settled, before it is resolved. One of the most significant early challenges will be for Putnam to identify members of the class of damaged banks, and to convince the court this case should continue as a class action. This blog will continue to monitor the progress of this case for its impact on the payment card industry and Iowa community banks.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

- John Lande