Eleven Law Firms Push For Class Action Certification Over Target Data Breach
The likelihood of a class action lawsuit against Target over the 2013 data breach became ever more present after a motion for class action status was recently submitted to the U.S. District Court of Minnesota. Those court filings were unsealed to the public last Thursday.
Eleven law firms (the same that alleged Target was hiding related information under a “confidential” status) are representing four banks and a credit union as its lead plaintiffs, while also acknowledging the thousands of financial institutions that incurred monetary damages due to the breach.
TCB asked the potential class how much money it would be seeking in damages, however a member of the counsel said the figure would not be made public until a later date. But, as it is written in the class certification filing, sought-after damages would cover the costs of “cancelling and reissuing cards, reimbursing customers for fraudulent transactions, and undertaking additional customer service.”
Co-lead counsel for the pending litigation, Charles Zimmerman and Karl Cambronne said in a statement that they hope “the now-unsealed motion for Class Certification shows how Target’s misconduct led to one of the largest data breaches in U.S. history.” Both lawyers made nods to Target’s settlement announcement with Visa for $67 million, which they called “inadequate.” They added, “it is no coincidence that Target set its deadline to accept the settlement just a few days before the Class Certification hearing.”
Allan Erbsen, associate professor at the University of Minnesota’s law school, said the Court won’t likely land on a decision for quite some time. “Plaintiffs seek certification more often that courts grant it,” he said in an email. “The risks to Target are especially acute because plaintiffs are sophisticated financial institutions that are likely to pursue the case aggressively.”
Within the 52-page court filing, lawyers gave particular focus to what they call “Target’s longstanding lackadaisical practices and corporate attitudes toward securing sensitive payment card data.”
Prior to the breach, Michael Salters, a group manager for Target’s security operations center, was quoted in the report having testified that Target discovered unencrypted payment card information that dated back “at least six or seven years” that was easily accessible on servers belonging to 292 Target stores.
This prompted internal studies to be done by two third-party teams on Target’s cyber-security environment over the first eight months of 2013, not long before the breach. According to the class certification filing, the studies provided Target with more then 20 recommendations to beef up its cyber-security protocol, which the plaintiff’s lawyers believe would have prevented or minimized the breach’s impact.
One such recommendation was to use whitelisting—a process of automatically tasking programs to run in specific cases and blocking other programs that are deemed unnecessary, which is largely useful in identifying spam and malware. Instead, Target de-prioritized this protocol, the filing said. In a March testimony to the Senate Committee, recently appointed COO and executive vice president John Mulligan of Target said whitelisting would be part of the strategy for the retailer’s cybersecurity department moving forward.
The lengthy report includes summarized remarks from Nickolas Kemske, the information protection and cybersecurity manager for Target at the time of the breach. Kemske said there was no formal process or procedure in place when it came to following up on potential threats, or even a way to communicate any threats to Target’s senior executives.
Before the time of the breach, Target initiated a “system freeze”—a practice commonly done over the span of Target’s higher-profit seasons, but ultimately limits the retailer’s ability to make changes within its security systems. In this case, the “system freeze” lasted from October 2013 to January 2014. Questions about specifics on what a “system freeze” details and why the retailer performs this operation during higher-profit seasons was posed to Target, however Target did not provide a response. Target’s anti-virus provider, Symantec, was disabled “until after black Friday.” Meanwhile, Target’s use of a malware tool by computer security firm FireEye had been limited to a state of “detection mode.” On top of that, the FireEye tool was not integrated into Target’s systems to send security alerts.
FireEye detected the hacker’s presence as early as November 30 and again on December 2, yet the program provided limited help to Target’s employees. It wasn’t until the U.S. Secret Service contacted Target on December 12 that the company moved to take action. Ultimately, about 110 million people’s private information had been compromised.
When reaching out to Target regarding the allegations made in the class certification filings, Target spokeswoman Molly Snyder gave this statement: “Class action counsels’ allegations are not new and are drawn from old, and long-disputed, assertions. Target rejects the arguments and characterizations. None of these allegations are currently before the court for resolution. The upcoming hearing is instead limited to whether a class should be certified in this case or not. Target has filed its opposition to class certification. As this is pending litigation, we are not in a position to comment further.”
In Target’s first quarter report, the retailer said it had spent $256 million of cumulative expenses, but received $90 million in return for expected insurance recoveries. Its second quarter report also listed a cumulative $21 million in pretax data breach-related expenses, bringing the total to at least $187 million.
On Monday, Target agreed to pay $2.8 million to settle a hiring discrimination claim filed by the U.S. Equal Employment Opportunity Commission. The federal agency said it found “reasonable cause to believe that three employment assessments formerly used by Target disproportionately screened out applicants for exempt-level professional positions based on race and sex.”
On Tuesday, the Securities and Exchange Commission said it would not penalize Target over the data breach after its investigation. However, other state and private entities are still conducting their own investigations, which could lead to other settlement costs or penalties for Target in the future.
As of last week, Target’s second quarter results ushered in signs of the retailer finally rebounding from the effects of the breach. With a $400 million dollar increase in revenue from its 2014 Q2 results, CEO Brian Cornell and COO Mulligan voiced plans to rebrand its grocery and retail experience, saying the company has “much more to accomplish.”
For more on Target and its recent efforts to build a competitive edge over its retail rivals, read the August cover story of Twin Cities Business magazine.