Target Data Breach Ruling May Guide Home Depot Litigation

September 18, 2014
Law360

Types : In the News

A judge will soon decide whether Target Corp. must continue fighting claims that it should be held accountable for costs banks incurred in replacing customer payment cards, a potential $18 billion liability, in a ruling that may guide the courts’ handling of other data breach cases including Home Depot‘s, attorneys say.

Target filed its motion to dismiss earlier this month that seeks to derail a consolidated class action complaint brought by a group of banks that issue credit and debit cards. In its motion, Target says the complaint is attempting to impose upon the retailer a “novel” duty of care on its handling of payment card information that the retailer says it does not owe the banks.

There is a dearth of case law over whether retailers owe such a duty to banks, which is why an expected ruling by U.S. District Judge Paul Magnuson on Target’s motion to dismiss likely will influence how banks proceed in other data breach cases like Home Depot’s, attorneys say. First Choice Federal Credit Union sued Home Depot on Wednesday in what appears to be the first suit brought by a financial institution against the home improvement store.

Target says the relationship its lawsuit is attempting to impose on the company is between the card-issuing banks and individual consumers. In its motion, the company said that “issuing banks and merchants have no direct dealings with one another in the payment card transaction process.”

In the absence of cases that are directly analogous to the Target data breach, the company’s lawyers have cited several cases that deal with issues important to the bank’s claims but present different underlying fact patterns, attorneys say. Target argues that courts and legislators in Minnesota, where the litigation is proceeding, have consistently rejected attempts to extend the duty of care to merchants.

“Today’s reality is crying for some new case law to guide affected parties,” BakerHostetler partner Judy Selby said. “When you read the motion, they have to rely on cases that are certainly relevant, but they dealt with very different factual situations.”

“Many statutes were drafted before any of these types of cybersecurity issues were on anyone’s radar screen,” she said.

In a footnote, Target’s attorneys say they have found only one case in which a merchant has owed an issuing bank a duty of care. Negligence claims in that case, which involved BJ’s Wholesale Club Inc. and was decided in Pennsylvania, were subsequently dismissed under a different legal theory on appeal.

Target argues that the BJ’s decision is “inapposite for purposes of determining if the banks have met their burden under Minnesota law.” 

The lack of cases in the banks’ favor as well as the general reluctance of courts to extend duties between banks and merchants will make it difficult for them to defeat Target’s motion to dismiss, said David Brown of Montgomery McCracken Walker & Rhoads LLP.

“When you only have the one outlying decision, it’s going to be an uphill battle,” Brown said.

Brown said that in negligence cases, courts are generally careful not to extend the duty of care to parties that do not have a direct relationship with one another. If they do, oftentimes the duty is extended to vulnerable parties – like between property owners and their guests, he said. 

But in the Target case, the banks are sophisticated business parties, not usually the type of institutions that courts would recognize as having a special relationship with a merchant like Target, Brown said. 

In its brief, Target says that the banks that have filed suit “are precisely the type of sophisticated commercial actors for which a special relationship will not be found.”

“When you’re talking about negligence, courts are careful not to extend duties to parties without a direct relationship,” Brown said.

As many as 110 million Target customers are believed to have had their personal or financial information compromised in the attack, making it one of the largest data breaches in U.S. history.

Target is one of the largest retailers in the U.S., with nearly 2,000 locations in the U.S. and Canada. The banks filed an amended class action complaint against Target in August.

The plaintiffs are represented by Zimmerman Reed, Chestnut Cambronne PA, Reinhardt Wendorf & Blanchfield, Lockridge Grindal Nauen PLLP, Levin Fishbein Sedran & Berman, Barrett Law Group PA and others.

Target is represented by Faegre Baker Daniels LLP and Ropes & Gray LLP.

The case is In re: Target Corp. Customer Data Security Breach Litigation, case number 0:14-md-02522, in the U.S. District Court for the District of Minnesota.

–Editing by Jeremy Barker and Richard McVay.

All Content © 2003-2014, Portfolio Media, Inc.

Download PDF for full article