Still recovering from its 2013 data breach, Target Corp. agreed to a $39 million settlement with a class of banks suing the well-known retailer, marking the settlement as the first class-wide data breach pact ever reached on behalf of financial institutions.

Target’s data breach exposed 40 million credit and debit cards to fraud during the 2013 holiday season. The Minneapolis-based company’s breach still ranks among the most high-profile data incidents to hit retailers in recent years.

The class-wide pact stems from a consolidated class action complaint filed in August 2014 to recover an estimated $200 million in losses stemming from the breach, including costs to reimburse fraudulent charges and issue new payment cards. The complaint alleges that Target failed to take precautions to protect consumer data and violated the Minnesota Plastic Card Security Act.
Continue Reading Target Agrees to $39 Million Settlement with Credit Card Issuers’ Data Breach Claims

In a landmark decision, an administrative law judge dismissed the FTC’s long-running data security lawsuit against Atlanta-based cancer screening laboratory, LabMD Inc., following an alleged data breach. Chief Administrative Law Judge D. Michael Chappell (the “ALJ”) ruled in his Initial Decision that the FTC had failed to prove that the laboratory’s alleged conduct harmed, or could potentially harm, consumers.
Continue Reading ALJ Dismisses FTC’s Data Security Suit Against LabMD for Failure to Prove ‘Substantial Injury’ to Consumers

With the onslaught of smart watches, smart thermostats, and even smart refrigerators that allow you to Tweet hangry messages to your followers, it’s only natural that a “smart city” would follow.

This week, San Francisco city officials agreed to run a one-year pilot project with Sigfox – an FCC certified French start-up that builds low-power wireless networks – to create an Internet of Things (“IoT”) wireless network that caters exclusively to smart devices with low-bandwidth apps. While the term “wireless network” typically conjures up thoughts of the ubiquitous Wi-Fi symbol, this low-power, wide area network (“LPWAN”) on which Sigfox will operate is entirely separate from traditional cellular networks, which require a much higher level of data streaming and power usage.

Sigfox and city technology crews have installed about 20 of its base stations throughout San Francisco, using libraries and other city buildings. Each base station covers about 12 to 18 miles and is roughly the size of a briefcase. Device makers who want to join the network must install a radio chip that costs less than $2 and comes loaded with the Sigfox firmware.
Continue Reading San Francisco Launches First “Internet of Things” Wireless Network in United States

Before September 15, 2015, no federal court had certified a class action to litigate security breach claims. But now U.S. District Court Judge Paul A. Magnuson, overseeing the In re: Target Corporation Customer MDL, has certified as a class:

All entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.

This certified class representatives will litigate three claims on behalf of all such issuers: that Target was negligent in failing to provide sufficiently secure customer data; that Target violated Minnesota’s Plastic Security Card Act (“PCSA”); and that this violation of Minnesota law constituted negligence per se.

In opposing class certification, Target had maintained that no classwide proof of injury existed, especially given variations in state laws. Target also contended that damages would have to be calculated on a bank-by-bank basis, making class adjudication untenable. The court considered and rejected both of these arguments in turn.
Continue Reading FINANCIAL INSTITUTIONS MAKE HISTORY IN TARGET MDL, FIRST CLASS ACTION CERTIFIED IN FEDERAL COURT TO LITIGATE SECURITY BREACH ISSUES

On August 24, 2015, the Third Circuit, in a highly anticipated ruling, upheld a 2014 New Jersey District Court decision that the FTC has authority under section 5 of the FTC Act to regulate “unfair” data security practices without engaging in formal rulemaking.  As we have previously discussed, the implications of the lower court ruling, and now this ratification by the Third Circuit, are far-reaching.

After oral argument in March 2015, it appeared that the Third Circuit might be questioning just how far the FTC’s unfairness authority extends.  One of Wyndham’s arguments, articulated in its motion to dismiss that was in front of District Judge Esther Salas, was that the Congress never intended to allow the FTC to use the unfairness prong of its authority to reach negligent behavior that was not additionally fraudulent.  Judge Salas disagreed with that argument, noting during oral arguments that if Congress had not intended the FTC to wield such power, Congress would have acted years ago when it saw the FTC overstepping its authority.  During oral arguments in front of the Third Circuit, Circuit Judge Thomas L. Ambro seemed to back Wyndham’s argument, stating that the FTC was meant to use its authority to pursue routine fraud cases, and not those involving the outer limits of consumer harm.  The decision, though, makes clear that the Third Circuit does not believe that the FTC has overstepped its authority in its regulation of unfair data security practices.
Continue Reading Third Circuit Upholds FTC’s Authority in Wyndham Case

More than a year-and-a-half after Target’s December 2013 announcement of a massive data breach, the retailer has reached an agreement with Visa, whereby it will reimburse Visa and certain affected card issuers up to $67 million for expenses incurred in connection with the breach.  This will include costs associated with reissuing cards. The agreement comes three months after the company’s proposed $19 million settlement with MasterCard fell through as not enough banks accepted the deal.  The MasterCard deal required the approval of 90 percent of banks representing cardholder accounts that were affected by the breach. The Visa deal is less likely to fall apart because it was conditioned on a majority of issuers entering into direct settlements with Visa and Target, which Visa has since certified.  According to sources within the company and at MasterCard, the retailer is also renewing efforts to settle with MasterCard on a similar basis.

Meanwhile, a class certification motion hearing on behalf of the financial institution plaintiffs is scheduled to be held September 10, 2015.  According to lead counsel for the plaintiffs, Charles Zimmerman of Zimmerman Reed PLLP, plaintiffs seek to hold Target accountable for damages “far greater than what has been offered under this settlement.”  Zimmerman further contends that “[j]ust as with the proposed MasterCard settlement… [the Visa deal] was negotiated under a veil of secrecy without the involvement of the court or the court-appointment legal representatives of financial institutions.”
Continue Reading Target Reaches $67 Million Settlement with Visa over Data Breach Claims

The Payment Card Industry Security Standards Council (‘PCI SSC’) has had a busy year thus far updating both its Card Production Security Requirements and its Data Security Standards (‘PCI DSS’).

First, on 10 April, the PCI SSC updated its Card Production Requirements (guidance published to help card producers secure the card production process from creation through to delivery). The requirements themselves are divided into two parts: Card Production Logical Security Requirements and Card Production Physical Security Requirements. The logical requirements apply to the personalisation of cards or the manipulation of card data, whereas the physical requirements deal with processes like the storage and mailing of cards. The update changes or adds requirements across a variety of issues, from card storage embossing to emergency exits; but although the PCI SSC maintain the standards, the emphasis is firmly upon payment companies themselves to manage assessments against these PCI requirements.
Continue Reading PCI Council Updates both Card Production Standards and Data Security Standards

The Payment Card Industry Security Standards Council (‘PCI SSC’) has had a busy year thus far updating both its Card Production Security Requirements and its Data Security Standards (‘PCI DSS’).

First, on 10 April, the PCI SSC updated its Card Production Requirements (guidance published to help card producers secure the card production process from creation through to delivery).  The requirements themselves are divided into two parts: Card Production Logical Security Requirements and Card Production Physical Security Requirements. The logical requirements apply to the personalisation of cards or the manipulation of card data, whereas the physical requirements deal with processes like the storage and mailing of cards. The update changes or adds requirements across a variety of issues, from card storage embossing to emergency exits; but although the PCI SSC maintain the standards, the emphasis is firmly upon payment companies themselves to manage assessments against these PCI requirements.Continue Reading PCI Council Updates both Card Production Standards and Data Security Standards

A proposed settlement has been reached in the multi-district consumer litigation Target faces following a data breach that compromised at least 40 million credit cards during the 2013 holiday shopping season. The settlement, which requires Target to pay $10 million into a settlement fund and adopt specific data security measures, still needs court approval.

If