Southern Minnesota banks file data breach lawsuit

Five First Farmer & Merchant Banks in the southern part of the state filed a lawsuit against Minnesota-based Target Corp. for damages alleging stemming from that retailer’s data breach in late 2013. Although a number of banks in the United States have sued Target over the security violation of its computer system, experts say this is the first lawsuit from financial establishments in Target’s home state. The case could have a large impact over the state’s 2007 Plastic Card Security Card Act.

In February, Target disclosed that the personal information belonging to approximately 70 million consumers was stolen along with payment information for 40 million people. Target’s CEO also stated that the true number of people impacted by the data breach would be overstated and misunderstood. He also said that a portion of the hacked information included duplicates and overlap between personal and credit card information.

The banks filed the suit in the U.S. District Court in Minnesota on Feb. 22 charging Target with negligence, negligence per se, breach of contract and with violating the Plastic Card Security Act. The plaintiffs did not claim a specific damage amount. However, they allege that the banks had to refund fraudulent charges, deal with checking and savings account closings and reopenings and cancel and reissue credit cards. In the United States, banks and credit unions estimated spending more than $200 million as of Feb. 2014 replacing credit and debit cards whose data was misappropriated in the breach.

Minnesota’s Plastic Card Security Act requires a merchant to reimburse financial institutions for losses from a data breach if the merchant improperly holds payment card data and does not sufficiently protect the data. Only three states have this type of law.

Businesses and consumers, in addition to financial institutions, may seek damages from companies that do not protect confidential information and adequately address the challenges pose by new information technologies. Businesses should make sure they understand their legal rights and obligations so that it does not, among other things, engage in a breach of fiduciary duty of protecting confidential information and preventing fraud. Otherwise, the business could face a legal suit by consumers or other entities.

Source: Minneapolis Star Tribune, “Five outside Minnesota banks sue Target over data breach,” Jennifer Bjorhus, Feb. 25, 2014

FindLaw Network