Could Target’s Position with Banks Be a Sign of Things to Come?

Minneapolis, MNIt may have been one of the largest data breach events in US history, with millions of consumers affected. However, retail juggernaut Target Corporation (Target) has let it be known that it plans to aggressively fight any allegation that it dropped the ball in terms of security protocols, and its recent stance with banks and other financial partners could provide a bit of a window into Target’s potential strategy.

According to various sources, well over 100 million Target customers are believed to have had their personal and/or financial information compromised when Target was hacked last year. Data breach lawsuits are flowing in from disgruntled consumers not impressed that sensitive information may have fallen into the hands and control of unsavory individuals, not to mention the breach of a perceived trust that a merchant would ensure such information was kept safe and secure.

However, consumers aren’t the only litigants in this data breach case. Various banks and credit unions are also joining the fray, in an attempt to hold Target legally responsible for losses incurred in the wake of the massive hack, by way of an amended class-action data breach lawsuit against Target filed in August.

Target moved swiftly to counter the lawsuit, filing a motion to dismiss in September based on the banks’ claim that there is a relationship within the card transaction process between the banks and Target that allow for the underpinnings of a claim. However, Target countered that “issuing banks and merchants have no direct dealings with one another in the payment card transaction process,” Target said in its motion.

Then, on October 22, Target turned up the rhetoric, maintaining that merchants are not liable to issuers following data breaches. Under data protection laws observed by the state of Minnesota, plaintiffs are required to establish what is described as a “special relationship” in order to pursue allegations that one party failed to protect another from a third party. Target maintains that “courts have already established that type of relationship doesn’t exist between merchants and issuers.”

Target is based in Minneapolis, Minnesota.

Target also disputes any claims of negligence by the banks, noting that banks and credit unions had already noted in their complaint(s) that Target had been duly conforming to the recognized Payment Card Industry Data Security Standard (PCI DSS) protocol.

“The mere fact of a sophisticated criminal intrusion does not imply negligence,” Target said. “As to the gravamen of the banks’ claim - that Target ‘failed to adhere to applicable industry [security] standards’ - the banks admit Target was certified as compliant with ‘all payment industry requirements, including the [PCI-DSS],’ and offer no rejoinder to Target’s argument that the banks have not adequately pled any PCI-DSS violation.”

One is left to wonder if Target will play the PCI DSS card as a defense against consumer litigation and other data breach lawsuits currently residing in multidistrict litigation (MDL). The case is In re: Target Corp. Customer Data Security Breach Litigation, case number 0:14-md-02522, in the US District Court for the District of Minnesota.