A federal judge on Tuesday (Dec. 3) ruled that most of the data breach lawsuit claims against Target can continue and that banks pressing that lawsuit were almost fully correct in its allegations. That doesn’t mean, of course, that the judge found the claims to have merit, but merely that they were sufficient to proceed to trial.
U.S. District Judge Paul Magnuson in St. Paul, Minnesota, also found that the suing banks–Umpqua Holdings Corp’s Umpqua Bank in Roseburg, Oregon; Mutual Bank in Whitman, Massachusetts; Village Bank in St. Francis, Minnesota; CSE Federal Credit Union in Lake Charles, Louisiana; and First Federal Savings of Lorain in Lorain, Ohio—sufficiently alleged that Target had cut quite a few security corners as well as ignoring security alerts—both internal and external—during the attack.
“Plaintiffs have plausibly alleged that Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to plaintiffs,” Magnuson ruled. “Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.”
One interesting part of the ruling involved an allegation that Target had violated the Minnesota Plastic Card Security Act, which prohibits doing business in Minnesota from retaining prohibited card data after 48 hours after a transaction has been processed. Target had argued that the state law “applies only to transactions that occur in Minnesota, making the Act inapplicable to the majority of transactions about which Plaintiffs complain.”
Referring to the out-of-state-transactions argument, Magnuson wasn’t buying it. ” Target’s first argument is not well taken. The Act does not apply only to business transactions that take place in Minnesota. By its terms, it applies to the data retention practices of any person or entity conducting business in Minnesota. The PCSA does not discriminate between in-state and out-of-state transactions or economic interests. Rather, it applies only to Minnesota companies’ data security practices and does not purport to regulate the practices of any non-Minnesota company. And it applies equally to the Minnesota companies’ data retention practices with respect to in-state and out-of-state transactions.”
The second argument Target made is wonderfully nuanced. The data retention in question was done not by Target employees but by the cyberthieves themselves, who used Target servers to store the stolen data for days before they transmitted it to a server they controlled in Russia. Target also argued that the data in question was not really taken from Target servers, but from shoppers directly, grabbing the data in realtime as cards were swiped.
The banks argued that the cyberthieves also accessed some data from Target servers and that such data helped the thieves complete their theft. ” Plaintiffs assert that the hackers gathered some data from the use of the card and other data from Target’s servers, making the data breach even more serious.”
The lawyers for both sides then engaged in wordplay. ” Plaintiffs and Target disagree over which definition of ‘retain’ the Court should use
in interpreting the PCSA’s requirements. Plaintiffs urge the Court to adopt the Oxford Dictionary’s definition of retain, which is to ‘continue to have something.’ Target, on the other hand, contends that the correct definition of ‘retain’ must be read in the context of technical data retention, and is ‘the storage of data for future usage.'”
“Whether the Court interprets ‘retain’ to mean ‘to continue to have’ or ‘storage for future use’ is immaterial to the outcome of the Motion to Dismiss. Plaintiffs allege that Target stored data for longer than the PCSA allows, and that the (thieves) were able to access some of this stored data, namely the CVV codes, without which the breach would not have been as serious. In other words, although the (thieves) received some data directly from consumers’ cards, they also retrieved other data from Target’s servers. Even if Target is correct that the (thieves’) storage of stolen data on Target’s servers does not implicate the PCSA, Plaintiffs’ claims undoubtedly state a PCSA violation. The Motion to Dismiss this Count must be denied.”