December 18, 2013, was a dark day for Target Corp. Nationally ousted as the victim of the largest retail data breach in history, Target’s CEO Gregg Steinhafel took pains to assure consumers “they will not be held financially responsible for any credit or debit card fraud.”
But according to a March 10, 2014, putative class action in the District of Minnesota, Case No. 0:14-cv-00643, by Umpqua Bank, Steinhafel’s statement “omits” the fact that “it is the nation’s financial institutions—and not Target—ensuring that this is the case.” According to Umpqua’s complaint, financial institutions are the ones incurring the real costs associated with protecting customer accounts. This includes providing notice to consumers, reissuing payment cards and refunding fraudulent charges. The cost of card replacement alone is estimated to ultimately rest around $200 million.
Since then, two more banks, Trustmark National Bank and Green Bank, N.A., have launched a similar class action against the retail giant in the Northern District of Illinois, Case No. 1:14-cv-02069, for its failure to maintain adequate data security protocols—despite suffering two nearly identical breaches in the years preceding this one. While largely similar, the Trustmark suit, filed March 24, 2014, departs from the aforementioned Umpqua suit in that it also seeks to hold security company Trustwave Holdings, Inc. liable as well.
“Trustwave failed to live up to its promises, or to meet industry standards,” the Trustmark complaint alleged. It goes on to claim the vendor’s failure to timely discover and/or report the breach to Target (or the public) further drove up costs. “The damage done to the banks and other class members is monumental,” the suit asserts. The alleged cost to banks/retailers could eventually exceed $18 billion.
In a striking turn of events, Trustwave publicly denied having done any cyberthreat mitigation work for Target on March 29, 2014. This denial came one day after the New-York based Trustmark National Bank filed a notice of voluntary dismissal without prejudice in the proposed class action. The notice did state, however, that Texas-based Green Bank, N.A. would nevertheless continue with the suit.
When a company suffers a data breach—and especially one as large as Target’s—it is eminently clear that an entire gamut of persons/entities may ultimately be affected. While the details of the Trustmark action appear largely unsettled, the fact that information security vendors are now being included in class actions is indicative of the expanding legal fallout associated with such data breaches.
The Umpqua Bank and Trustmark National Bank complaint(s):