I wrote another blog in October about the risks associated with third party data breaches and how they can impact a bank’s relationship with its customers, titled The Real Threat of Data Breaches, Trust me. Banks have been fighting for retailers to take financial responsibility for their poor data protection practices for years, with little success. This is due to the fact that retailers claim that since “the bank” is not doing business directly with the retailer, they are not the victim. A recent judge’s decision to allow a class action lawsuit to proceed against Target Corp., for the costs incurred by banks in response to the massive data breach by the retailer, could have far reaching impact on how this cost liability is treated in the future.
As bank executives know, we are not talking about a small amount of cost here. On average, it costs banks $10.00 for every card it has to reissue. When a small community bank or credit union has to reissue thousands of cards, this cost will add up quickly! In the complaint filed with the US District Court of Minnesota, the total financial industry cost related to the Target data breach is up to $18 Billion (here is a link to the 42 page complaint if you are curious).
Needless to say, with that large a liability, Target is vigorously fighting the lawsuit. Lawsuits such as this have been brought in the past, but not many and all were dismissed. That is why Judge Magnuson’s decision to allow the trial to proceed is a win for financial institutions. This trial likely will not move forward until 2016, but retailers and financial institutions will be following very closely to see what sort of precedent it sets. Home Depot is facing a similar suit due to the large customer data breach they sustained this year. The lawyer representing one of the credit unions in this suit stated:
The major issue is who will be responsible for the enormous cost associated with cybercrimes—the retailers where the problem manifests itself or the banks that have no control over what goes on at the retailer [level]."
While his comment is pretty straight forward, in the complicated arena of litigation nothing is as straight forward as it sounds. However we are already seeing changes in this area. Back in April the US District Court for the District Court of New Jersey ruled that the Federal Trade Commission can sue companies on charges related to data breaches. Under a law dating back to 1914, the FTC has broad powers to protect consumers from companies that engage in unfair or deceptive trade practices. The commission has relied on the law to bring a series of enforcement actions targeting companies' cybersecurity efforts. As these cases move forward it will be very interesting to see on whose side the court’s decision falls. Hopefully, we will see retailers bearing additional responsibility for the data breaches caused by lax data security policies.
Manager Hometown: Pensacola, Florida Alma Mater: University of West Florida
Former Eagle Scout and supporter of the Boy Scouts of America. Avid Hiker, Mountain Biker, and Sports Fan. Die-hard Atlanta Braves fan.