Judge Denies Target’s Motion to Dismiss Class Action Stemming from Data Breach

Dec. 11, 2014

Judge Denies Target’s Motion to Dismiss Class Action Stemming from Data Breach A decision rendered last week by a Minnesota judge could have long-lasting repercussions regarding the parties liable for costs incurred by data breaches. District Court Judge Paul A. Magnuson ruled that a class-action lawsuit filed on behalf of issuing banks affected by the high-profile network intrusion at Target last year can proceed. Target had asked the judge to dismiss the suit, which alleges the retailing giant was negligent and did not provide sufficient security measures to protect the stolen information.

Among the reasons the judge cited for denying Target’s motion to dismiss the case, the company’s contention that Minnesota’s Plastic Card Security Act does not apply because most of its business transactions take place outside the state “is not well taken” for a company based in Minnesota. The judge also pointed to the banks’ allegation that some of the stolen data, namely CVV codes without which the intrusion would have been far less serious, resided on Targets servers for longer than was allowed.

“Plaintiffs have plausibly pled a claim for negligence, a violation of the PCSA, and negligence per se,” Judge Magnuson wrote in his decision.

At the very least, experts say a ruling for the plaintiffs in this case would increase the already significant impact already felt by companies that experience a data breach, and could shake up the entire payments ecosystem in relation to who bears the cost of fraud.