Target Decision Squeezes Merchants: Now What?
Is the tide turning in data breach cases? Can Captain Ahab really retire? Inquiring minds want to know.
Earlier this week, a federal district court in Minnesota ruled that a group of financial institutions including at least one credit union could go forward with its claim that Target was negligent in letting hackers steal credit and debit card information from more than 110 million consumers last year. (In re Target Corp. Customer Data Sec. Breach Litig., No. MDL 14-2522 PAM/JJK, 2014 WL 6775314, at *4 (D. Minn. Dec. 2, 2014)). The case follows a decision by the Court of Appeals for the Fifth Circuit to allow financial institutions to go forward with a similar claim against Heartland Payment Systems, which they allege negligently stored plastic card information also stolen by third-party hackers. (Lone Star Nat. Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421, 426 (5th Cir. 2013)).
Both of these cases are welcome developments for credit unions. The industry has correctly argued for years now that there is too little responsibility placed on merchants when it comes to protecting against data breaches. However, these developments also underscore just how important it is to couple legal action with a multi-pronged push to achieve data breach protections on both the state and federal level.
Most importantly, any litigation in this area will ultimately depend on the interpretation of individual state laws and legal standards. For instance, Target is incorporated in Minnesota, which I believe was the first state in the nation to pass legislation imposing liability on merchants that negligently store debit and credit card information. In refusing to dismiss the case against Target, the district court noted that the claim of the financial institutions was “bolstered” by the statute, which underscored the state’s policy of expecting merchants to protect against data breaches. In the Hartland case, the circuit courts decision to allow the financial institutions to go forward was based on its interpretation of New Jersey case law.
The importance of state law and regulation to the outcome of these cases demonstrates that in this area more than others a coordinated attempt to pass data breach legislation on both the state and federal level is paramount for the industry. Every time financial institutions bring one of these cases it puts more pressure on merchants to consider coming to the negotiating table and agree to uniform data storage requirements. In addition, it’s impossible to predict what Congress will do in this area, but both the Hartland and Target decisions demonstrate that much could be done on the state level regardless of what machinations take place in D.C. The cases also raise an important issue for the industry to consider as it continues to push for data breach requirements. My guess is that the merchants will ultimately agree to data protection requirements in return for preemption of state laws. If the lawsuits continue to trend in favor of financial institutions, we may reach a point where the value of federal data breach standards is outweighed by the value of state-imposed liability.
Keith Leggett to Retire
Dr. Keith Leggett, Senior Vice President at the American Bankers Association and self-problaimed Captain Ahab to the credit union industry’s white whale, announced that he will be retiring early next year. Keith is a professional gad-fly to the credit union industry best known to many of you for writing his Credit Union Watch blog. He reportedly will continue to write this blog even in retirement, so we aren’t quite done with his cogent barbs.
I have a soft spot for anyone who reads my blog and a special soft spot for anyone who takes the time to respond to one of my tirades, even if they disagree with everything I’ve said. I’ve gotten to know Keith a little as a result of comments to my blogs. He even has been nice enough to give me the heads up on a typo or two. So Keith, I hope you have a better retirement than Captain Ahab and thanks for the input.