Target Corp. is asking a federal judge to throw out claims by banks that had to deal with the consequences of a data breach that compromised at least 40 million credit-card accounts.
Banks alleged the incursion forced them to reissue credit and debit cards, monitor accounts for fraudulent activity and reimburse those victimized, all while coping with decreased use of affected cards at the height of last year's holiday shopping season.
Five lenders, arguing on behalf of a proposed group including every financial institution whose customers made Target purchases in 2013 from Nov. 1 to Dec. 19, say they collectively sustained damages of at least $5 million.
The retailer is scheduled today to ask U.S. District Judge Paul Magnuson in St. Paul, Minnesota, to reject the case, arguing it dealt with the banks only through intermediaries, credit card companies, and had no obligation to protect them.
The argument comes a week before Black Friday, the unofficial start of the post-Thanksgiving holiday shopping season in the U.S. and a week after the hardware emporium Home Depot Inc. disclosed that 53 million e-mail addresses were taken by hackers in a breach it reported in September that also put 56 million payment cards at risk.
High-end retailer Neiman Marcus Group Ltd. and Sears Holdings Corp.'s discount chain Kmart have also been struck by hackers. Staples Inc., the world's biggest office-supply chain last month said it too may have been attacked. As of Nov. 19, it couldn't fully assess the damage, according to a filing with the U.S. Securities and Exchange Commission.
Target, based in Minneapolis, said personal information including addresses and phone numbers of as many as 110 million people might have been obtained by hackers last year.
The company, which this month hired a new chief risk and compliance officer, Jacqueline Hourigan Rice, is scheduled to argue on Dec. 11 for dismissal of consumer claims arising from its data breach.
The banks suing Target contend the company is trying to duck blame for its failure to safeguard card data.
"Target's gross security deficiencies enabled the breach, and Target's inaction and omissions worsened the breach's effect on plaintiffs," the lenders said in a court filing.
The banks are relying in part on a Minnesota law the Plastic Card Security Act to support their claim that Target had a duty to shield them. The retailer contends the lenders aren't covered by the measure.
The law prohibits the company from retaining certain card data after a sale is completed.
Target's lawyers say the data theft happened at the point of sale and that the statute doesn't apply. Bank attorneys counter the company has said it retained card data and that the retailer voluntarily disabled data system security functions that would have detected the breach.
The five banks leading the suit are Roseburg, Oregon-based Umpqua Bank; Whitman, Massachusetts-based Mutual Bank; CSE Federal Credit Union of Lake Charles, Louisiana; St. Francis, Minnesota-based Village Bank; and First Federal Savings of Lorain, in Lorain, Ohio.
The case is In re: Target Corporation Customer Data Security Breach Litigation, 14-md-2522, U.S. District Court, District of Minnesota (St. Paul).