A previous Business Advocate post, Clash of Titans: Retailers and Banks Argue Over Who Should Pay Card Replacement Costs,discussed the emerging battle between banks and retailers to decide who pays to reissue credit cards compromised by data breaches and/or covers other banking related costs (refunding unauthorized transactions, closing accounts and opening new accounts, etc.).
In some of the first salvos in that battle, 3 class actions (seeking to certify national classes) have been filed against Target by banks and credit unions based upon its alleged failure to use adequate security methods: Alabama State Employees Credit Union v. Target, Community Bank of Texas v. Target (filed in Minnesota) and First Choice Federal Credit Union v. Target (filed in Pennsylvania). The various suits allege that Target did follow reasonable and industry-standard protocols (including the Visa and MasterCard operating rules) and First Choice Federal Credit Union specifically alleges that Target improperly retained magnetic stripe information and data for more than 48 hours after a transaction.Alabama State Employees Credit Union was filed first and is based upon claims of negligence and breach of contract. In contrast, Community Bank of Texas and First Choice Federal Credit Union are based upon negligence and alleged violations of Minnesota statutes -- including Minn. Stat. Ann. §325E, part of the "Plastic Card Security Act," which provides that a violator that experiences a security breach must reimburse reasonable costs incurred by financial institutions as a result of the breach.
While standard contractual relationships related to credit cards make holding retailers liable for such banking costs difficult, at least two of these actions are based upon the Minnesota's Plastic Card Security Act. This act provides banks more ammunition against Target than in the typical circumstance. These cases will not be the only ones filed by banks against Target and other community banks and credit unions may consider taking the same tact to mitigate their losses as they often lack the resources to mitigate data breach related losses as larger institutions.