A predicted storm of litigation over Target's card data breach has begun to break over Target.
Last week, a second credit union filed a complaint against Target over losses it said it sustained as a result of the breach and law firms representing community banks announced their clients had also filed complaints.
The 5700 member, $38 million First Choice Federal Credit Union in New Castle, Pa., filed its complaint in federal court on Jan. 31.
The 28,000 member, $211 million Alabama State Employees Credit Union filed its complaint in early January. Both complaints are class actions.
Because of the later filing, the First Choice complaint included Target's Jan. 10 announcement of additional records stolen as well as reports of stolen credit and debit card numbers from the Target breach being sold on criminal websites in other counties.
“As a direct and proximate result of the Target Data Breach, Plaintiff and members of the Class have been damaged, because Target's wrongful conduct has caused Class members to incur significant losses associated with credit and debit card cancellation and/or reissuance;” First Choice wrote in its complaint, adding: “customer reimbursement for fraud losses; lost interest and transaction fees; lost customers; administrative expenses associated with monitoring and preventing fraud and administrative expenses in dealing with customer confusion; and claims alleging fraudulent activity”
The Pittsburgh law firms of Carlson Lynch, Del Sole Cavanaugh Stroyd, and Berger & Montague filed the complaint for the credit union and issued a statement.
“The complaint alleges that Target knew or should have known that its payment processes were vulnerable to this sort of attack, yet the company failed to take adequate measures to protect sensitive data and did not inform customers or financial institutions about the ongoing attack for several weeks after it was discovered. We believe Target is liable under Minnesota state law (where Target's headquarters are located) for these damages, and the purpose of the suit is to recover some of these losses for the plaintiffs.”
Meanwhile the Beaumont, Texas, law firm of Provost Umphrey has filed a complaint in Minnesota on behalf of CommunityBank of Texas, a Beaumont based bank, and FNBT.com Inc., an online bank headquartered in Fort Walton Beach, Fla.
“We feel that CommunityBank is well positioned to represent a nationwide class of banks, credit unions and other financial institutions. It is too early to determine just how much money banks have lost, but early indications are that losses could run in the hundreds of millions of dollars,” attorneys working for the firm said when they filed the complaint.
According to the lawsuit, the breach was the direct and foreseeable result of Target's failure to implement and maintain reasonable, industry-standard security measures to protect its customers’ credit card, debit card, and personal information.
Additionally, credit card companies require merchants to comply with regulations aimed at safeguarding customer information. These regulations generally prohibit the retention and storage of cardholder information after a transaction has been authorized, the firm noted.
While the legal storm might have begun to break over Target, its outcome likely remains very away and does not necessarily promise victory to the plaintiffs.
First, the profusion of lawsuits around the country means it is almost certain the courts will consolidate the cases into one venue in one court charged with hearing the cases and there is no guarantee of the outcome or its timeliness. Credit unions damaged by the Heartland data breach in 2008 were still fighting the case in 2013 and the outcome has yet to be finalized.
But executives in the credit unions which have brought these suits in the past have contended that they see their institutions holding the large retail firms and processors accountable for the damage they have done to their members. They also argue that Visa and MasterCard's fines for the breaches are so limited that strong legal action is one of the only ways to make retail firms and processors take the need for data security more seriously.