On Tuesday, a federal judge rejected Target Corporation’s attempt to dismiss multiple claims made by several banks in an effort to minimize their financial burdens caused by the retailer’s massive data breach in late 2013.
Following the compromise of 40 million customers’ credit cards, a group of financial institutions filed lawsuits against Target, claiming the retailer’s “conduct both caused and exacerbated the harm they suffered.”
Minnesota District Court Judge Paul A. Magnuson ruled the plaintiffs’ claims were valid, stating in his order:
“Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur. Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”
As one of the first rulings to begin settling class action lawsuits between financial institutions and retailers, lawyers say the decision could pave the way for other data breach cases to come, including the way liability is distributed.
“What this ruling means is that the banks won’t necessarily be left holding the bag if the merchant was negligent in the way it maintained and safeguarded customer information,” said Craig Newman, managing partner at Richards Kibbe & Orbe, to the New York Times.
Where complicated contracts between merchants, payment processors and credit card companies previously handled the hefty expenses, Newman added Magnuson’s order may reassess “who’s responsible for paying the significant costs associated with a hacking incident.”
The plaintiffs in the case include Umpqua Bank in Roseburg, Oregon; Mutual Bank in Whitman, Massachusetts; Village Bank in St. Francis, Minnesota; CSE Federal Credit Union in Lake Charles, Louisiana; and First Federal Savings of Lorain in Lorain, Ohio.
In addition to the bank’s class action suit, Target faces related cases from affected consumers, which the retailer has also asked to be dismissed.