Bank Files Unique Suit Against Target

Umpqua Bank Alleges Violations of Minnesota Statute
Bank Files Unique Suit Against Target

Umpqua Holdings Corp. is the latest U.S. banking institution to file a class action lawsuit against Target Corp., alleging the big-name retailer is responsible for reimbursing card issuers for the expenses and fraud losses they have suffered because of Target's data breach.

See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys

But the Umpqua case is a bit different.

The $11.6 billion bank filed its suit March 10 against Target, alleging violations of the Minnesota Plastic Card Security Act. Target is based in Minneapolis.

Cybersecurity attorney and financial fraud expert Joseph Burton says Umpqua's reliance on the Minnesota act is unique and could prove more fruitful than the other cases filed so far against Target.

"First it prohibits retailers doing business in Minnesota, Target's headquarters, from retaining sensitive card stripe data after authorization of the transaction," says Burton, who serves as managing partner for the San Francisco office for the firm Duane Morris. "Second, it requires a retailer who has violated this prohibition to reimburse the responsive costs incurred by any financial institution which issued payment cards affected by the breach of the retailer's system. While a number of states had in the past professed an interest in passing similar statutes, Minnesota is the only one that has done so."

Umpqua's complaint alleges that Target improperly stored card data, thus violating compliance with the Payment Card Industry Data Security Standard and the Minnesota statute, he says.

"All in all, the complaint does a clever and novel job of trying to tie the PCI standards, which are really a private, contractually based requirement, and specified state law requirements as a means of supporting a general duty of care owed by a retailer, not only to his customer, but to anyone else adversely impacted by that retailer's culpable behavior," Burton says. "It will, nonetheless, likely be a tough legal row to hoe."

Privacy attorney David Navetta, co-founder of the Information Law Group and former co-chairman of the American Bar Association's Information Security Committee, agrees Umpqua's case won't be easy to argue. Still, he says, "It's the first case I have seen that has listed the Minnesota Plastic Card Security Act as a cause of action."

Navetta is curious to see if other banking institutions will follow Umpqua's lead.

In the suits filed so far, banking institutions claim Target should be responsible for card re-issuance and replacement expenses that have been incurred by issuers as a result of the retailer's breach, which is estimated to have exposed some 40 million debit and credit cards (see Suits Against Target Make 'Statement').

Burton says he doubts any of these early suits will bear much fruit for banking institutions; proving contractually that Target is liable for losses is difficult.

"The cases that have been brought so far don't really offer what I would say would be a clear theory of liability," Burton says. "I think it's going to be a tough trail," adding that most of the cases filed so far will likely be settled out of court.

That's because case law involving card breaches is limited, he says.

"If you look at the law, the deck is really stacked against the banks," Burton explains. "I am not aware of a case in which a bank has sued a retailer in this sort of situation. That's not to say it's not possible to have a case. But Target is the first case; and first cases, like the early explorers, there are arrows in the back to show for it."

Card Breaches: The Case Law

Most class action suits filed by banks and credit unions in the wake of card breaches have not involved retailers, or they have been settled, Burton notes.

Two of the most noteworthy cases illustrate Burton's point. The 2008 class action suits brought against Maine-based grocery chain Hannaford Brothers for a breach it unearthed in March of that year were later settled out of court. And that class action was brought against Hannaford by consumers, not banks.

The second breach suit, which was filed against Heartland Payment Systems in the wake of its 2008 breach is a little different.

Card issuers sued Heartland for recovery of expenses linked to card re-issuance and fraud after the processor's network was hacked and an estimated 130 million U.S. payment cards were compromised.

The case was initially dismissed. But in February 2013, card issuers filed an appeal to reverse the lower court's decision. In September 2013, the Fifth Circuit Federal Appellate Court favored the banks and reversed the district court's ruling.

Navetta says the theories alleged and upheld in the Heartland case could benefit banking institutions in their cases against Target.

"Even if they happen to participate in the card brands' fraud and operating expense recovery programs, they recover only a portion of their out-of-pocket losses," he says. "If they don't participate in those recovery programs, they are left without a direct remedy in most cases."

But while the Heartland dispute was ultimately a win for the banks, the case did not involve suing a retailer.

"Previous cases involve some other players," Burton says. "They didn't involve banks versus retailers. ... It's a very complicated issue."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.