As the stakes go up, so do the creativity of the legal defenses.
According to an article in Bloomberg news, Target says that they have no legal obligation to banks that claim they lost tens of millions of dollars as a result of last year’s breach and they want the judge to dismiss the case.
The banks argue that the Minnesota Plastic Card Security Act law, which is relevant because of where Target’s headquarters is located (in Minneapolis) allows them to recover losses. The law requires businesses that don’t adequately protect financial information to reimburse for any losses from a breach. Minnesota is one of 3 states that have such a law.
The law prohibits the retention of certain payment card data for more than 48 hours. The prohibited data includes full card numbers, security codes, PINs and any full track data.
Target is, in effect, questioning the legality of this law. They are arguing that in the absence of a “special relationship” with the banks, they aren’t responsible to the banks for anything. I assume a special relationship is legal-speak for a contract. Since Target has a relationship with a credit card processor and not the banks directly, that is the angle.
Target argued that the data theft happened at the point of sale and the plastic card law doesn’t apply. Creative to be sure.
However, I don’t see anything in the law that requires a special relationship in order to invoke the law. Nor do I see anything that says point of sale device attacks are excluded.
Given that there are hundreds of millions of dollars at stake if you assume that 40 million plus cards were compromised, it is not a big surprise that Target is grasping at any legal angle it can find. If it only costs the banks $10 per compromised card to notify the cardholder, reissue the card, deal with calls, cover losses, etc., which I suspect is way low, that bill would be $400 million or more. Oral arguments are scheduled for December 11th. No matter the outcome, the decision is likely to be appealed, so don’t expect an early answer to this issue.
Assuming they are successful, they then have to navigate the interesting , landmine strewn, path of explaining to their customers, with whom they do not have a “special relationship”, that they should not be concerned about using their credit card at Target – or even shopping there – because Target is responsible if anything happens. I want to watch that bit of spin doctoring.