A number of investigations and inquiries, including a call for a hearing in Congress on December 30, 2013, have been sparked by the announcement by Target Corp. that a massive security breach of approximately 40 million of its customers’ credit and debit card accounts used at brick-and-mortar Target stores occurred between November 27 and extending through at least December 15.
The retailer stated that hackers obtained information known as “track data”: customer names as well as debit or credit card numbers and card verification values (CVVs). Armed with track data, hackers can create counterfeit cards by encoding the information onto any card with a magnetic strip. In recent weeks, the stolen track data has been flooding underground black markets, according to Brian Krebs, writing on Krebs on Security. The data is being sold in batches of one million cards for anywhere from $20 to more than $100 per card, with cards issued by foreign banks fetching the higher prices.
Target’s data breach has attracted renewed interest in consumer financial security more generally. On December 30, 2013, Senators Mark R. Warner (D-VA) and Robert Menendez (D-NJ) wrote to the Senate Committee on Banking, Housing, and Urban Affairs’ Chairman Tim Johnson and Ranking Member Mike Crapo, requesting a hearing on consumer financial data security in light of the Target data theft. (The full letter is available here.)
State governments have also taken an interest. Attorneys general across the country discussed the data breach with Target’s EVP and General Counsel, Tim Baer, on December 23 and are scheduled to do so again the week of January 6. In the past, federal and state officials have fined companies when they determined that the companies did not adequately protect private consumer information.
Unsurprisingly, a number of consumer class action lawsuits also have sprung up, alleging that Target violated a number of state laws, was negligent in protecting consumer data, and failed to notify consumers in a timely manner. As of December 27, Target had been named in at least 40 lawsuits across the country, which will likely eventually be consolidated or become part of a multidistrict litigation panel.
A number of the lawsuits allege “compensatory damages” or “harm,” generally, but fail to describe damages with specificity. These lawsuits may encounter challenges in light of the 2012 Supreme Court decision in Clapper v. Amnesty International, which rejected the idea of “manufacture[d] standing,” whereby plaintiffs choose to make expenditures based on their fears of hypothetical future harms such as identity theft. Cf. Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (threat of future identity theft sufficient to confer standing) and Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007) (same).
Target’s data breach is among the largest retail data breaches to-date, following 2009 credit card processor Heartland Payment System’s 130 million card track data breach and 2007 retailer TJX’s (parent of T.J. Maxx and other discount chains) 45 million credit and debit card breach. Given the scale of the breach, it is likely that we will see increased activity in the area of consumer financial security and other fast-paced developments as the investigations and cases proceed.