Earlier this week, a U.S. judge ruled that banks can proceed with a class action suit filed against Target for a data breach that occurred in 2013. A U.S. District Court judge in St. Paul Minnesota affirmed Target's negligence in the data hack, which compromised upwards of 40 million credit cards. This decision enables the $5 million class action to be maintained under the representation of the five primary plaintiffs: Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain.
The judge's ruling follows just weeks after Target agreed to a $67 million settlement with Visa in which it would compensate thousands of financial institutions for the costs they suffered as a result of the 2013 breach. It is unclear at this time how many Visa card issuers agreed to accept the terms of that settlement, the deadline for which was September 4th. But attorney Charles Zimmerman, one of the lead lawyers who is representing the plaintiffs in this new class action suit, feels that the Visa deal, as well as a $19 million settlement with MasterCard that fell through earlier this year when not enough banks accepted the terms of the agreement, does not go far enough to reimburse banks for their losses. As reported by Ars Technica, Target has attempted to block the class-action lawsuit in part by arguing that the affected financial institutions were not required by law to re-issue the compromised payment cards and should therefore not be reimbursed. The U.S. judge issued a response to this position:
"Target argues that because Plaintiffs were not required by contract, law, or regulation to reissue the so called 'alerted-on' cards, reissuance was a business decision and not an injury proximately caused by the breach. What Target suggests is that, because there was no requirement to act, financial institutions should have done nothing in the face of dire alerts regarding the data breach issued by the card-issuing companies and by Target itself and the known potential consequences for the institutions’ customers. The absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards, both debit and credit, in the weeks after the breach."
Target has thus far paid $200 million as a result of the 2013 breach, an amount which includes $21 million for "legal and other professional services" in the first half of this year. This newest class action suit will likely only increase that amount.