By now, we all know about the massive data breach at national retailer Target over the 2013 holiday season. The cyber-attack was carried out by sophisticated criminal hackers, who allegedly gained access to Target’s network through credentials they stole from a third-party vendor whom Target retained for HVAC maintenance. Once inside the Target network, the hackers deployed custom point-of-sale malware to Target’s registers, which collected credit and debit card information “in real time” when customers swiped their cards at Target registers between December 2, 2013 and December 15, 2013.
Target faces several class-action lawsuits from banks and consumers arising out of the data breach that were consolidated in the retailer’s home state Minnesota, before the U.S. District Judge Paul Magnuson. Last week, on September 2, 2014, Target filed a motion to dismiss the claims of a group of five payment-card-issuing banks, credit unions, and savings associations (“Banks”) that seek damages that include costs associated with reissuing payment cards to customers and reimbursing fraudulent charges.
In their complaint, the banks assert counts for negligence and negligent misrepresentation by omission, as well as for violation of the Minnesota Plastic Card Security Act and negligence per se based on the PCSA. Target’s motion contends banks’ complaint fails to state a claim under each of the theories alleged.
According to Target’s application, card issuers like the banks participate in an “extensive network of financial institutions” that together process retail payment card transactions. This process begins with a financial institution, like the banks, issuing a payment card to a consumer. The consumer then may choose to use that payment card to make purchases at retail merchants, such as Target. When this occurs, the merchant obtains authorization and payment for the transactions not from the bank that issued the card (the “issuing bank”), but rather from a payment processor and/or a merchant bank (an “acquiring bank”) that has contracted with the merchant to handle the transaction.
The acquiring bank in turn obtains authorization and payment under its separate contract with a payment card company such as Visa and MasterCard, and the card brand in turn obtains authorization and funding under its separate contract with the issuing bank. Thus, issuing banks and merchants have no direct dealings with one another in the payment card transaction process.
Target contends that the banks’ negligence and negligent misrepresentation claims turn on there being a never-before recognized “special relationship” between merchants, like Target, and payment card issuers, like the banks, that justifies creation and imposition of a “new” common-law duty of care.
The motion argues that the banks are sophisticated parties that do not even have a direct relationship with Target, much less a special relationship that might suffice to create such a duty in either the negligence or negligent misrepresentation context. In simpler terms, Target argues that the banks’ negligence and negligent misrepresentation claims all boil down to the contention that a merchant has a common-law duty to take certain steps to protect issuing banks from financial losses caused by third-party criminal attacks aimed at stealing payment card data, which is not recognized by Minnesota law.
Target goes on to argue that the facts alleged do not justify the imposition of “new” and “unprecedented” common-law tort duties under Minnesota law as (1) the Minnesota Legislature already has addressed the issue of when a merchant might be liable to an issuer following a data breach; (2) the contractual regime upon which the Banks base many of their claims already provides a system under which issuers may be compensated following a data breach; and (3) courts in other jurisdictions already have refused to impose common-law tort duties based on similar allegations.
Further, according to Target, even if that were not the case, the Banks’ failure to plead other elements of their claims, such as breach, an actionable misrepresentation by omission, or reliance, nevertheless require dismissal. With respect to the Banks’ PCSA and an accompanying negligence per se claim, the motion argues that the Banks’ own allegations confirm that the breach involved theft of payment card data “in real time” which is outside the scope of a PCSA violation.
It will be interesting to see if the District Court addresses head-on the issue of whether a merchant or retailer such as Target has a common-law duty to take certain steps to protect issuing banks from financial losses caused by third-party criminal attacks aimed at stealing payment card data, and if so, the scope of that duty. Further, a ruling on the motion to dismiss has the potential to address the application and scope of the PCSA with respect to a financial institutions’ ability to sue organizations that expose payment card data due to a security breach. As such, the District Court’s handling of Target’s motion to dismiss will be closely watched to see whether and how the Court’s ruling affects the rights and potential liabilities of merchants and payment-card-issuing institutions going forward.