One common occurrence after the disclosure by a retailer of a breach affecting card present payment card data used to be the filing of claims by banks that issued payment cards affected by the incident. The banks bringing the claims were usually smaller banks seeking to recover the costs of reissuing new cards and counterfeit fraud charges on the cards. Courts consistently dismissed these claims (e.g., BJ’s Wholesale, TJX). The issuing banks were losing because: (1) they did not have a contractual relationship with the retailer, so they could not bring a breach of contract claim; (2) they could not establish themselves as an intended third-party beneficiary of any card network operating regulations; and (3) because the banks were seeking purely economic damages (i.e., not damages caused by personal injury) retailers were able to rely on the economic-loss doctrine to defeat negligence or other tort claims. Because of this precedent, lawsuits by issuing banks became less common.

Because of the scope of the attack on Target and armed with more information about how the attack occurred (likely due to leaks by third parties who were part of the investigation process) than is usually publicly available, issuing banks brought claims against Target. Those claims were consolidated in the MDL proceeding in Minnesota federal court. The consolidated complaint of the issuing banks asserted four claims against Target on behalf of the putative class of issuing banks: (1) negligence; (2) violation of Minnesota’s Plastic Card Security Act (“PCSA); (3) negligence per se based on the alleged violation of the PCSA; and (4) negligent misrepresentation by omission due to Target’s alleged failure to inform banks of Target’s alleged deficient security. Target moved to dismiss all four claims. In a December 2, 2014 ruling, the court allowed the first three claims to proceed and gave the banks 30 days to file an amended complaint to re-plead their negligent misrepresentation claim.

The notable aspects of the court’s ruling include:

  • The court rejected Target’s argument that the banks must show that they had a special relationship with Target to support the existence of a duty as an element of their negligence claim. Rather, the court found, “at the preliminary stage of the litigation” that the banks plausibly pled a general negligence claim based on their assertions that Target failed to maintain appropriate security measures. Indeed, the court stated that the banks’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to state a direct negligence claim.
  • The court referenced the In re Heartland decision to reject Target’s argument about the burden caused by imposing a duty on Target to safeguard payment card data. The court’s reference seemed to imply that merchants somehow have accepted that they have a duty to safeguard payment card data by referring to the Visa and MasterCard operating regulations, which the court stated specify procedures for issuing banks to make claims in the event of data breaches. This reference misses the mark—the Visa and MasterCard operating regulations apply directly to each network’s members (issuers and acquirers), and merchants are not members. While merchants may contractually obligate themselves in agreements with acquiring banks to, for example, comply with the regulations (e.g., PCI DSS), it is erroneous to say that existence of operating regulations issued unilaterally by Visa and MasterCard shows a voluntary assumption by merchants of any duty. Moreover, the claims procedures referenced by the court are actually assessment programs created by Visa and MasterCard to attempt to identify what they assert to be the costs incurred by issuing banks to monitor and re-issue at risk cards and incremental counterfeit fraud charges on at risk cards. The assessment made by Visa and MasterCard, however, is made against the acquiring bank of the merchant, not the merchant itself.
  • If the issuing banks amend the negligent misrepresentation claim, they have to allege how they relied to their detriment on their allegation that Target held itself out as having secure data systems when Target knew that it did not. If the banks do attempt to amend, it seems that they will have to allege that they would not have authorized transaction approval requests coming from Target.
  • Target argued that the PCSA applies only to transactions that occur in Minnesota. The court rejected this argument, stating that the PCSA applies to all transactions at Target (even those outside Minnesota) because Target does business in Minnesota, and, thus, its data retention practices are subject to the PCSA. The court rejected Target’s assertion that application to out-of-state transactions would violate the dormant Commerce Clause.
  • Target also argued that the PCSA prohibits only the retention of data, and the attack on Target did not involve data that was stored in a database. The court appeared to recognize that the attack involved malware that captured payment card data in transit after it was swiped at a point-of-sale device (which is how memory scrapers work). But the court relied on two assertions by the banks to let the claim survive: (1) the attacker harvested the card data and then stored it on Target’s servers for days before sending the data out of the system, thus Target’s servers did retain the data in violation of the law; and (2) an odd assertion that the attacker would not have been able to steal all of the magnetic strip information, specifically, the card’s CVV code, without accessing the customer data Target stored on its servers. Whatever confusion about the contents of track data and how the attack against Target occurred may have allowed the banks to make these assertions, this appears to be an assertion that will not survive scrutiny during discovery. The “track data” in the magnetic strip of a payment card does contain a verification code value needed to create a counterfeit card, and that value is different than the verification value printed on the back of payment cards that is often used to authenticate card not present transactions.