Lessons from Target Class Action Ruling by Judy Selby
In addition to the consumer lawsuits arising out of last year's massive data breach, Target faces a potentially more problematic lawsuit brought by financial institutions that issued credit and debit cards affected by the breach. Those card issuers claim to be out of pocket billions of dollars in connection with replacing cards and servicing breach-impacted customers. Importantly, unlike cases brought by consumers, card issuer lawsuits may not be susceptible to some of the legal defenses that have led to early dismissal of many consumer data breach claims.
On December 2nd, Target lost its motion to dismiss the card issuers' lawsuit. Although the court's decision was based solely on the adequacy of the card issuers' pleadings and not on the actual merits of their claims, an important take away message emerges, even at this preliminary stage of the case -- information governance practices can land companies in big trouble or they can provide an important defense against information-related claims.
In their class action complaint, the card issuers alleged that Target's actions and inactions in connection with safeguarding customer data caused them foreseeable harm. They also alleged that Target violated applicable data retention laws by storing customer information for longer than permitted under the law. The court ruled that those allegations were sufficient to allow the card issuers' negligence and statutory claims to survive Target's bid for an early dismissal of the suit.
Entities today should appreciate that the decisions they make -- or don't make -- about how to collect, store, utilize and safeguard protected information can lead to bad headlines, stock drops, regulatory problems and lawsuits. But taking a proactive, enterprise-wide approach to governing information can protect companies from many information-related liabilities.
A company's information governance program should address how information is governed throughout its entire life cycle (including creation, collection, usage and disposal), as well as privacy, compliance, and security concerns. By involving all relevant corporate stakeholders in the development of an information governance program, companies can make good decisions that will reduce costs and risks while also improving efficiency.
And if (or should I say, when) a company is the victim of a data breach, its ability to demonstrate good information governance practices may provide an important layer of protection against claims based on negligence, unreasonable practices and failure to comply with statutory requirements.
Thank you for reading this post. I write frequently about information-related issues, including privacy, litigation, governance and cyber insurance. If you're interested in these areas, please click "Follow" and feel free to send me a LinkedIn invitation and connect on Twitter at @Judy_Selby.