In the thick of the holiday season, 40 million Target shoppers were greeted with distressing news: Hackers had managed to steal credit card and debit-card information from Target stores nationwide.
Target had to act quickly to try to rehabilitate itself in the eyes of its customers. It therefore offered customers a 10% discount for shopping over a busy holiday weekend, and for those customers whose cards were compromised, it also offered credit monitoring. As Target now tries to repair its image, it has been hit by a wave of consumer lawsuits alleging that Target was negligent in handling sensitive customer data and that, as a result, Target should be liable to its customers for various types of monetary damages. Target is also bracing itself for potential lawsuits from major banks, which had to handle claims from their customers about compromised cards.
In this column, I will evaluate the nature of consumer harm, and describe some of the myths surrounding the use of credit and debit cards. I will also evaluate the merits of the potential lawsuits I described above, and explain why it will be difficult for most, if not all, of the cardholders to recover much from Target, beyond the credit monitoring that is already on offer.
Background: The Breach of Target’s Security
Target is based in Minneapolis and has almost 1,800 stores in the United States. The Target card breach is the second largest in U.S. history, coming only after a 2005 case involving TJX, the parent company of TJ Maxx and Marshalls. Target stated on December 19, 2013, that approximately 40 million credit- and debit-card accounts “may have been impacted” after being used to pay for purchases at its U.S. stores between November 27 and December 15. On its corporate website, Target tells consumers, “Even if you shopped at Target during this time frame, it doesn’t mean you are a victim of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. There is no indication that PIN numbers have been compromised on affected bank issued PIN debit cards or Target debit cards. Someone cannot visit an ATM with a fraudulent debit card and withdraw cash.”
Target also tells consumers: “You will not be responsible for fraudulent charges—either your bank or Target have that responsibility.” And to give consumers peace of mind, Target has offered free credit-monitoring service for impacted customers.
In addition to the card numbers, Target revealed that card expiration dates and CVV security codes were also stolen. With this data, the hackers could use this magnetic stripe data to create counterfeit cards. Criminals can then use these fake cards to purchase gift cards, which are then used to purchase goods or to be converted back into cash.
After Target made these announcements, other news stories revealed that Target has now admitted that encrypted PIN numbers were also captured in the breach, which is thought to affect around 40 million shoppers. Target insists, however, that the PIN numbers cannot be decrypted.
Beyond Headaches: What Harm Did Consumers Suffer?
At this stage, it is unclear how many consumers have actually had their cards compromised and used before they and their banks had a chance to cancel the cards and get them reissued. News items from the security site Krebsonsecurity report that credit and debit card accounts stolen in the recent Target data breach have been flooding underground black card markets, selling in batches of one million cards, and going for asking prices of between $20 to more than $100 per card.
But even if a card is stolen and the number and other information—such as the three-digit CVV code on the card—actually winds up in a thief’s hands, what harm will a consumer suffer? The answer is: It depends, and in many cases, there will be little or no financial loss to the consumer.
For credit cards, the maximum liability that a consumer may suffer for fraudulent or unauthorized transactions under federal law is $50. Moreover, if a consumer reports the fraud within two days of learning of a card loss or theft, the consumer’s loss may be $0, and many banks that issue cards have instituted a $0 liability policy across the board.
For debit cards, federal law is a bit different. If a customer reports any fraudulent transactions within two days of learning of the loss, the loss is also capped at $50, but after that, a customer’s loss can go up to $500,and after six months, the loss may be potentially unlimited. Although, what consumer would wait six months to check his or her bank statement and report any fraud?
Why is there a difference between credit and debit cards in this respect? Because the laws for each types of cards were passed by Congress at different times, and Congress chose to treat each type of card differently, although it is not entirely clear why.
Consumer advocates always point out that the risk of loss from stolen debit cards is greater than the risk from stolen credit cards because federal law makes a distinction between the two types of consumer liabilities. That distinction, however, in many cases, exists on paper only. Banks often use a $50 across-the-board cap for both credit cards and debit cards (e.g., Visa and Master Card) and have parallel policies for both. In some cases, liability may even be $0—although the zero liability policy relates to whether an alleged theft or fraud was accomplished with a PIN, or was a signature-based, PIN-less transaction. So in some cases, a debit cardholder may be worse off—but not by much.
But the bottom line is that, for many consumers, the actual financial loss from the theft of a credit or debit card will be minimal, if not zero. And in high-profile situations, such as a massive breach, banks may be more likely to be lenient with customers, in order to help preserve confidence in the debit- and credit-card systems.
The major problems, in the end, are likely hassle and inconvenience. Customers who shopped at Target have to quickly notify their bank about any fraud, and cancel their cards. How will they know about the breach? Target has a duty under the data breach security notification laws in 46 states, to provide prompt notice of the security breach to affected customers.
It is true that, with a debit card, a customer has money taken immediately from their account to pay for things. So if a thief uses a stolen card, a customer may find himself or herself overdrawn, without funds, and having to fill out paperwork and dealing with long waits on the telephone in order to get a bank to reaccredit lost funds. Still, in most cases, banks can pretty quickly reaccredit funds while investigating whether certain transactions are indeed theft.
Some consumers may suffer inconvenience and headaches in getting back funds, and in getting cards reissued. Is there a risk of identity theft? When only a card is stolen, the answer is no. Thieves can use stolen card numbers to make fraudulent purchases, but knowing a cardholder’s name and card number does not make for easy identity theft, which relies upon having a person’s name, birthdate, address, and Social Security Number, and other personally-identifying information (e.g., employer, prior addresses, and so on.)
So, what if a consumer can provide that his card was stolen, and that it led to unauthorized charges on his or her account: What might that person’s damages be? They might include (1) the cost of making calls to a bank to get a card canceled and reissued, (2) the time spent completing paperwork to get funds reinstated, and (3) perhaps some overdraft fees and possibly some minimal liability of $50. Does this make it worth suing the card issuer? Not for an individual consumer, perhaps, but law firms are already racing to the courthouse.
After the Target breach, a few banks took the unprecedented step of limiting how much customers could spend at stores or withdraw from ATMs using their debit cards. No such restrictions were put on credit-card customers. This was another hassle for consumers: If you can only withdraw $100 or shop for transactions up to $250, for example, then how can you buy a new plasma TV for the holidays, book a plane ticket for your vacation, or otherwise deal with holiday spending? This seemed to be the biggest headache of them all.
Are the Target Class Action Lawsuits Ill-Fated?
Consumers often want to be compensated for their loss of time, and their sense that a company has let them down. But it is challenging to turn that headache and hassle into a viable lawsuit. In the wake of many and frequent security breaches, consumers are fed up with retailers and other consumer-oriented companies, for they believe that they are not taking sufficient steps to keep their data secure.
The key claims in many class-action lawsuits arising from security/data breaches involve negligence and breach of contract. Customers allege that companies like Target did not take proper care and precautions to keep data secure, and thus acted negligently. There are credit-card securities standards, known as the Payment Card Industry Data Security Standard (PCI DSS), that companies are meant to use when participating in Visa or MasterCard networks. If Target failed to use proper standards, it might be found in court to have been negligent.
A related claim is breach of implied contract. Plaintiffs could argue that Target made an implied promise to consumers that keeping data secure was part of the bargain when it offered to take payments from its customers via a point-of-sale terminal, where customers swipe their cards.
Target says that it is “confident PIN numbers are safe and secure”. But the company faces around 40 lawsuits seeking class-action status as a result of the hack. The suits were filed on behalf of people who allege that their information was stolen and that Target either failed to properly secure their customer data, did not promptly notify customers of the breach, or both. More than $5 million in damages is being sought in several cases, two of which were filed in California, and one in Oregon.
With so little information known about the Target breach, it is unclear whether the plaintiffs will be able to prove their allegations.
One legal complaint in Louisiana quotes an FTC report on identity theft to say that what the hackers obtained is as “good as gold.” And in describing the harm from the breach, the lawsuits say that the affected customers will have to worry about their data security for years. While lawsuits are common in the wake of a major hacking incident, the sheer volume of them against Target is unusual.
In another complaint filed in Utah, the plaintiffs allege that they are subject to “continuing damages from having their Personal Information comprised as a result of Target’s inadequate systems and failures. Such damages include, among other things, out-of-pocket expenses incurred to mitigate the increased risk of identity theft and or fraud; credit, debit, and financial monitoring to prevent and/or mitigate theft, identity theft, and/or fraud incurred or likely to occur as a result of Target’s security failures; the value of their time and resources spent mitigating the identity theft and/or fraud; the cost of and time spent replacing credit cards and debit cards and reconfiguring automatic payment programs with other merchants related to the compromised cards…”
Will These Claims Succeed?
Data-breach lawsuits are often class actions, brought on behalf of a class of consumers whose data has been compromised by a data breach. It is often tricky, however, for consumers to get certified as a class for litigation of data breaches.
Some courts have allowed class actions to be brought in cases of large data/security breaches, finding that a risk of future harm may be enough to confer standing on an unnamed group of consumers. The U.S. Court of Appeals for the Ninth Circuit, for example, has concluded that the risk of future harm following a data breach can confer standing on a consumer class.
In Krottner v. Starbucks Corp., a laptop was stolen that contained unencrypted personal information. The court noted that at least one attempt had been made to steal a consumer’s identity as a result of the breach. The Ninth Circuit concluded that the consumer plaintiffs’ “generalized anxiety and stress” resulting from the breach was enough to confer standing.
By contrast, the U.S. Court of Appeals for the Third Circuit, in Reilly v. Ceridian Corporation, characterized a risk of identity theft as speculative, where there was no evidence that the breach was the result of specific malicious acts, and there was no evidence that there had been any misuse of any of the compromised personal data. In Reilly a hacker gained access to the defendant company’s systems, which contained the consumer plaintiff’s personal information. It was not known if the intruder had read or copied or otherwise used the data he had accessed. The court concluded that any “hypothetical, future injury” arising from the breach was insufficient to confer standing.
In the Target case, the plaintiffs situation seems closer to that in Krottner, and those who can show their card numbers were stolen may have a clear enough case to have standing to sue as a general class of victims.
But even if a plaintiff can establish standing, he or she must still succeed on the merits of the case and demonstrate a true legal harm.
The most successful cases so far in this area of law have involved a consumer plaintiff who has suffered actual identity theft that has led to fraudulent charges or credit applications or some other demonstrated financial harm. Generally, in these cases, courts have been more willing to provide monetary recovery for provable losses. In cases involving only the heightened risk of harm, however, courts have hesitated to apply traditional legal theories to cases involving risk, rather than actual loss. Even the Krottner case was ultimately dismissed because the consumer plaintiffs did not provide evidence of actual loss.
Last year, however, the U.S. Court of Appeals for the First Circuit concluded that a large data breach that had resulted in potential harm did create a situation where consumers were able to sue for losses relating to preventative measures taken to mitigate against future harm.
In the Anderson v. Hannaford Bros. Co. case, hackers stole 4.2 million debit and credit card numbers from the Maine-based grocer, resulting in at least 1,800 incidences of fraud. Unlike in prior cases, the card owners were not merely exposed to a hypothetical risk that their personal data would be used; it was alleged that they actually suffered financial losses from credit- and debit-card misuse. The court thus allowed the consumer plaintiffs to recover the costs of reasonable efforts to mitigate the harm, such as the cost of credit monitoring and replacement card costs for the cancellation and reissuance of cards. In determining that the plaintiffs’ mitigation steps were reasonable, the court noted that this case involved a large-scale criminal operation and the deliberate taking of card data by sophisticated thieves.
Of course, in the Target case, Target has already offered credit monitoring—so it is unclear what other damages may be available. The Hannaford case was remanded by the First Circuit, back to the U.S District Court in Maine, which ruled on whether the remaining 1,800 plaintiffs (who had each suffered some sort of injury or loss from the card theft) could sue as a class. In April 2013, the district court denied the motion to certify the class of 1,800 plaintiffs, finding that “the plaintiffs failed to prove how much in out-of-pocket expenses they spent to protect themselves from fraud as a result of the breach.” According to documents, Judge Hornby said that the plaintiffs’ failure to have an expert verify their damages was a “fatal” flaw in their arguments for class-action certification: “I conclude that their lack of an expert opinion on their ability to prove total damages to the jury is fatal,” Judge Hornby wrote. “Without an expert, they cannot prove total damages, and the alternative (which even they do not advocate) is a trial involving individual issues for each class member as to what happened to his/her data and account, what he/she did about it, and why.”
So even though the Hannaford case provides a new basis for plaintiffs to substantiate damages based on credit monitoring, and other fees relating to trying to deal with card theft, it still was not sufficient to provide grounds for a class action. Since damages for each plaintiff are likely to be minimal, it will be hard for any lawyer, or any individual consumer who was harmed by the Hannaford breach, to go ahead and sue on his or her own.
So, the litigation hurdle still remains high, and while it is high, the individual damages for any consumer may be minimal. Target is doing the right thing in immediately providing credit monitoring, which gives customers some peace of mind.
As for the headache? The headache for any consumer of a lost, stolen, or compromised debit or credit card is the same whether it is part of a massive hack or an individual situation, and the hassle and liability remain the same in either case, too. Federal law, to a great extent, by limiting consumer liability for fraudulent transactions, relieves the consumer of much of the burden and hardship. Moreover, credit-card issuers often go beyond federal law in relieving consumers of any liability. It is true that there is a divergence between how credit cards and debit cards are treated as a matter of law, so Congress might be wise to act to close that gap—and its doing so would give consumers greater peace of mind. But beyond that measure, class actions seem like a poor route to get companies to clean up their acts on the security front.
Other Enforcement Action Is Likely
State attorneys general are already looking into this large security breach, and their investigations may pave the way for either state or a federal enforcement action relating to Target’s security practices. If Target failed to take proper precautions, that failure might be labeled an unfair or deceptive practice, since companies often make promises to consumers that their information will be kept secure, thus creating an expectation that this is indeed the case.
Target will likely draw the attention of federal regulators. The Federal Trade Commission (FTC) has filed a number of lawsuits against companies arising from data breaches. These lawsuits commonly result in settlements with no admission of wrongdoing by the company. Here, two Democratic U.S. Senators, Richard Blumenthal of Connecticut and Chuck Schumer of New York, have requested that the FTC investigate the breach. “If Target failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects their personal information,” Blumenthal said in a letter to FTC Chairwoman Edith Ramirez . “Its conduct would be unfair and deceptive.”
In June 2012, the FTC filed a lawsuit against Wyndham Hotels & Resorts arising from three data breaches occurring over a period of two years. The FTC alleged that Wyndham misrepresented the security measures it took to safeguard consumers’ personal information, and that the failure to safeguard personal information had caused substantial consumer injury. Wyndham, rather than settling with the FTC, took a bold step and filed a motion in federal district court to dismiss the FTC’s lawsuit. Wyndham argued that the FTC “has neither the expertise nor the statutory authority to establish data security standards for the private sector.” Wyndham further noted that the FTC has not published any regulations that would provide the business community with adequate notice of what type of data-security protections would allow companies to be in compliance with federal law and avoid sanctions. As this may be the first data-security case that the FTC will be required to litigate, U.S. companies are closely watching this case.
Is More Regulation Needed?
As I noted above, credit-card liability is already capped at $50, while debit cards have a higher limit that hypothetically could run to a consumer’s being responsible for all losses for unauthorized use if they notice and report losses 60 days after their bank statement is made available, and the statement shows those fraudulent transactions. So perhaps reform of debit-card protections is a good thing.
Debit cards are here to stay and are a preferred method of payment for many. Consumer groups want Congress to guarantee more fraud protection for debit card holders. But the banking industry opposes any change in liability limits, so it’s unlikely that Congress will do anything in this area of law.
Senator Robert Menendez wants the U.S. government to hold corporations accountable for customer financial and personal information when there is a data breach like that which enabled the Target hack. Menendez recently stood outside of a Target store in New Jersey, said that he wants to ensure that corporations are “putting their customer ahead of profits,” and announced that he was inquiring of the FTC whether or not a fine can be imposed on companies that are vulnerable to cyber-attacks. Menendez also contended that the government should pass more laws protecting customer data. The Senator said, “We need to know if the FTC has the teeth to hold retailers who failed to protect consumers’ information accountable.”
Even if Congress does nothing, Target has already suffered reputationally and financially. A breach of security during the holiday shopping season is a PR nightmare. According to news reports, Target shares have fallen about 2.8 percent since the company disclosed the breach, erasing about $1 billion in market value from the company.
Moreover, Target’s consumer perception scores have dropped to their lowest level since 2007, according to a survey of 15,000 people by YouGov BrandIndex, which tracks the public perception of thousands of brands around the world.
And even if consumer lawsuits against Target fail, banks like Chase and Citibank could sue Target to help pay for the cost of cleaning up the mess of the retailer’s recent loss of card information to hackers. Banks have to spend lots of money investigating possibly fraudulent transactions; some banks will lose money on fraudulent charges; and the cost of issuing new replacement cards is also pricey.
Banks have sued merchants following large security breaches in the past. For instance, a 2009 breach at Heartland Payment Systems eventually cost the company $140 million, with more litigation ongoing.
So while consumers are at the heart of the storm at Target, their losses may be the smallest piece of this puzzle, for federal law, industry practice, and Target’s own actions should mitigate most of the loss consumers suffer—save for the hassles and the headache involved in trying to clear up the mess. But, in this instance, waiting for a payout from a lawsuit will do little more to relieve their pain.