Before September 15, 2015, no federal court had certified a class action to litigate security breach claims. But now U.S. District Court Judge Paul A. Magnuson, overseeing the In re: Target Corporation Customer MDL, has certified as a class:

All entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.

This certified class representatives will litigate three claims on behalf of all such issuers: that Target was negligent in failing to provide sufficiently secure customer data; that Target violated Minnesota’s Plastic Security Card Act (“PCSA”); and that this violation of Minnesota law constituted negligence per se.

In opposing class certification, Target had maintained that no classwide proof of injury existed, especially given variations in state laws. Target also contended that damages would have to be calculated on a bank-by-bank basis, making class adjudication untenable. The court considered and rejected both of these arguments in turn.
Continue Reading FINANCIAL INSTITUTIONS MAKE HISTORY IN TARGET MDL, FIRST CLASS ACTION CERTIFIED IN FEDERAL COURT TO LITIGATE SECURITY BREACH ISSUES

On August 24, 2015, the Third Circuit, in a highly anticipated ruling, upheld a 2014 New Jersey District Court decision that the FTC has authority under section 5 of the FTC Act to regulate “unfair” data security practices without engaging in formal rulemaking.  As we have previously discussed, the implications of the lower court ruling, and now this ratification by the Third Circuit, are far-reaching.

After oral argument in March 2015, it appeared that the Third Circuit might be questioning just how far the FTC’s unfairness authority extends.  One of Wyndham’s arguments, articulated in its motion to dismiss that was in front of District Judge Esther Salas, was that the Congress never intended to allow the FTC to use the unfairness prong of its authority to reach negligent behavior that was not additionally fraudulent.  Judge Salas disagreed with that argument, noting during oral arguments that if Congress had not intended the FTC to wield such power, Congress would have acted years ago when it saw the FTC overstepping its authority.  During oral arguments in front of the Third Circuit, Circuit Judge Thomas L. Ambro seemed to back Wyndham’s argument, stating that the FTC was meant to use its authority to pursue routine fraud cases, and not those involving the outer limits of consumer harm.  The decision, though, makes clear that the Third Circuit does not believe that the FTC has overstepped its authority in its regulation of unfair data security practices.
Continue Reading Third Circuit Upholds FTC’s Authority in Wyndham Case

More than a year-and-a-half after Target’s December 2013 announcement of a massive data breach, the retailer has reached an agreement with Visa, whereby it will reimburse Visa and certain affected card issuers up to $67 million for expenses incurred in connection with the breach.  This will include costs associated with reissuing cards. The agreement comes three months after the company’s proposed $19 million settlement with MasterCard fell through as not enough banks accepted the deal.  The MasterCard deal required the approval of 90 percent of banks representing cardholder accounts that were affected by the breach. The Visa deal is less likely to fall apart because it was conditioned on a majority of issuers entering into direct settlements with Visa and Target, which Visa has since certified.  According to sources within the company and at MasterCard, the retailer is also renewing efforts to settle with MasterCard on a similar basis.

Meanwhile, a class certification motion hearing on behalf of the financial institution plaintiffs is scheduled to be held September 10, 2015.  According to lead counsel for the plaintiffs, Charles Zimmerman of Zimmerman Reed PLLP, plaintiffs seek to hold Target accountable for damages “far greater than what has been offered under this settlement.”  Zimmerman further contends that “[j]ust as with the proposed MasterCard settlement… [the Visa deal] was negotiated under a veil of secrecy without the involvement of the court or the court-appointment legal representatives of financial institutions.”
Continue Reading Target Reaches $67 Million Settlement with Visa over Data Breach Claims

The Payment Card Industry Security Standards Council (‘PCI SSC’) has had a busy year thus far updating both its Card Production Security Requirements and its Data Security Standards (‘PCI DSS’).

First, on 10 April, the PCI SSC updated its Card Production Requirements (guidance published to help card producers secure the card production process from creation through to delivery). The requirements themselves are divided into two parts: Card Production Logical Security Requirements and Card Production Physical Security Requirements. The logical requirements apply to the personalisation of cards or the manipulation of card data, whereas the physical requirements deal with processes like the storage and mailing of cards. The update changes or adds requirements across a variety of issues, from card storage embossing to emergency exits; but although the PCI SSC maintain the standards, the emphasis is firmly upon payment companies themselves to manage assessments against these PCI requirements.
Continue Reading PCI Council Updates both Card Production Standards and Data Security Standards

The Payment Card Industry Security Standards Council (‘PCI SSC’) has had a busy year thus far updating both its Card Production Security Requirements and its Data Security Standards (‘PCI DSS’).

First, on 10 April, the PCI SSC updated its Card Production Requirements (guidance published to help card producers secure the card production process from creation through to delivery).  The requirements themselves are divided into two parts: Card Production Logical Security Requirements and Card Production Physical Security Requirements. The logical requirements apply to the personalisation of cards or the manipulation of card data, whereas the physical requirements deal with processes like the storage and mailing of cards. The update changes or adds requirements across a variety of issues, from card storage embossing to emergency exits; but although the PCI SSC maintain the standards, the emphasis is firmly upon payment companies themselves to manage assessments against these PCI requirements.

Continue Reading PCI Council Updates both Card Production Standards and Data Security Standards

A proposed settlement has been reached in the multi-district consumer litigation Target faces following a data breach that compromised at least 40 million credit cards during the 2013 holiday shopping season. The settlement, which requires Target to pay $10 million into a settlement fund and adopt specific data security measures, still needs court approval.

If

In September 2014 we reported on the UK’s intention to stamp out a practice commonly known as “enforced subject access requests”. This concerned the previously dormant section 56 of the UK Data Protection Act 1998 (‘DPA’), which, following an announcement from the Ministry of Justice, was implemented on March 10, 2015. Under this section, it

The federal government may be pushing a cybersecurity and data privacy agenda, but that doesn’t mean that the states are taking a back seat. The state attorneys general are maintaining their focus on issues relating to privacy and data security and expanding the scope of that focus to address the ever-evolving nature of those