Target is Liable to Consumers for Massive Data Heist
Recently Target allowed 40 million credit and debit cards to be stolen from its database. It disclosed last Friday that it has discovered that its massive database of information on 70 million customers was also broken into.
From a regulatory standpoint, Target could face a $90 fine for each cardholder’s data compromised. This equals about $3.6 billion in liability.
Other high profile stores recently in the news for credit card related data theft include Neiman Marcus and Barnes & Noble.
Target Can Be Sued on Several Legal Theories
Companies like Target make it easier and easier for customers to spend money at their stores. Statistics show that consumers spend a great deal more using credit cards than they would without credit cards. The upside financial benefit to stores accepting credit cards on and offline is huge.
At the same time these stores are substantially increasing sales and profits by accepting credit cards, we believe a strong legal argument can and should be made that these vendors have an obligation to protect the confidential and personal data they are getting from their customers. Steps need to be taken encrypting all data and protecting it from criminals.
During a normal credit card transaction, confidential financial data like credit card numbers, names, address and emails are routinely provided electronically or manually during the transaction. Stores have an affirmative duty to keep this information safe and protect it from third parties. This includes protecting the information from employees stealing the information internally or, hackers breaking into the digital network of a store or parent company for illegal financial gain.
A lawsuit has already been filed in San Francisco alleging that, “Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.” It is our understanding that several class actions will be filed shortly.
Only over time will we fully learn the efforts Target took to protect this important confidential data. If wrongdoing is shown, then as with any other business transaction, we believe viable causes of action against Target and similar stores and companies negligently protecting confidential credit card data would include negligence, breach of contract, invasion of privacy, fraud and depending on the facts, claims in equity.
Damages to consumers harmed because of Target’s wrongful and careless conduct would include out-of-pocket losses and expenses associated with the illegal use of the consumer’s information. Additional expenses consumers incur hiring third party companies such as accountants, data repair and security companies, and lawyers, might also be included in the recoverable damages.
If the facts ultimately show that Target knew it had problems with data security but intentionally avoided fixing the problem to save money (this happens all the time in corporate America), then punitive damages on top of compensatory damages might also be available to injured consumers.
There’s good reason why credit cards in Europe use a data security chip rather than the old fashion and out of date magnetic strip used in credit cards in the states. During our last trip to Amsterdam, most merchants wouldn’t even think about accepting our cards because of they didn’t contain the more secure data chip.
Hopefully this latest data theft catastrophe involving Target will result in all major credit card companies getting rid of their old technology and retool and offer the new digital chip alternative. We also hope it forces all on and offline stores to take their data security seriously and improve their internal data protection services and techniques.
The bottom line is that the harm and inconvenience caused to consumers of credit card fraud and identity theft is often times a nightmare. Stores like Target need to raise the bar and improve their data protective efforts or be held accountable for not doing so.