Many of you may worry that your personal information has been compromised by the security breach affecting 40 million Target shoppers over the holidays. As Target now tries to repair its image, it has been hit by a wave of consumer lawsuits alleging that Target was negligent in handling sensitive customer data and that, as a result, Target should be liable to its customers for various types of monetary damages. Target is also bracing itself for potential lawsuits from major banks, which had to handle claims from their customers about compromised cards. The Target card breach is the second largest in U.S. history. Target stated on December 19, 2013, that approximately 40 million credit- and debit-card accounts “may have been impacted” after being used to pay for purchases at its U.S. stores between November 27 and December 15. On its corporate website, Target tells consumers, “Even if you shopped at Target during this time frame, it doesn’t mean you are a victim of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. There is no indication that PIN numbers have been compromised on affected bank issued PIN debit cards or Target debit cards. Someone cannot visit an ATM with a fraudulent debit card and withdraw cash.” In addition to the card numbers, Target revealed that card expiration dates and CVV security codes were also stolen. With this data, the hackers could use this magnetic stripe data to create counterfeit cards. Criminals can then use these fake cards to purchase gift cards, which are then used to purchase goods or to be converted back into cash.
How does this affect you? If a card is stolen and the number and the three-digit CVV code on the card actually winds up in a thief’s hands, in many cases, there will be little or no financial loss to the consumer.
For credit cards, the maximum liability that a consumer may suffer for fraudulent or unauthorized transactions under federal law is $50. Moreover, if a consumer reports the fraud within two days of learning of a card loss or theft, the consumer’s loss may be $0, and many banks that issue cards have instituted a $0 liability policy across the board.
For debit cards, federal law is a bit different. If a customer reports any fraudulent transactions within two days of learning of the loss, the loss is also capped at $50, but after that, a customer’s loss can go up to $500,and after six months, the loss may be potentially unlimited. It is a common belief that the risk of loss from stolen debit cards is greater than the risk from stolen credit cards because federal law makes a distinction between the two types of consumer liabilities. That distinction, however, in many cases, exists on paper only. Banks often use a $50 across-the-board cap for both credit cards and debit cards. Bottom line, your probable loss is actually your time and inconvenience.
If a thief uses a stolen card, a customer may find himself or herself overdrawn, without funds, and having to fill out paperwork to get their bank to credit lost funds. While consumers may suffer inconvenience and headaches in getting back funds, and in getting cards reissued. Is there a risk of identity theft? When only a card is stolen, the answer is no. Thieves can use stolen card numbers to make fraudulent purchases, but knowing a cardholder’s name and card number does not make for easy identity theft, which relies upon other identifying information such as date of birth, address, and Social Security Number.
So, what if a consumer can provide that his card was stolen, and that it led to unauthorized charges on his or her account: What might that person’s damages be? They might include (1) the cost of making calls to a bank to get a card canceled and reissued, (2) the time spent completing paperwork to get funds reinstated, and (3) perhaps some overdraft fees and possibly some minimal liability of $50. Does this make it worth suing the card issuer?
Most class-action lawsuits arising from security/data breaches involve negligence and breach of contract. Customers allege that companies like Target did not take proper care and precautions to keep data secure, and thus acted negligently. There are credit-card securities standards, known as the Payment Card Industry Data Security Standard (PCI DSS), that companies are meant to use when participating in Visa or MasterCard networks. If Target failed to use proper standards, it might be held liable. Plaintiffs may also argue that Target made an implied promise to consumers that keeping data secure was part of the bargain when it offered to take payments from its customers via a point-of-sale terminal, where customers swipe their cards. To date, Target faces around 40 lawsuits seeking class-action status as a result of the incident. The suits were filed on behalf of people who allege that their information was stolen and that Target either failed to properly secure their customer data, did not promptly notify customers of the breach, or both. More than $5 million in damages is being sought in several cases, two of which were filed in California, and one in Oregon. Data-breach lawsuits are often class actions, brought on behalf of a class of consumers whose data has been compromised by a data breach. It is often tricky, however, for consumers to get certified as a class for litigation of data breaches. In the Target case, Plaintiffs who can show their card numbers were stolen may have a clear enough case to have standing to sue as a general class of victims. But even if a plaintiff can establish standing, he or she must still succeed on the merits of the case and demonstrate a true legal harm. So, the litigation hurdle is high and individual damages for any consumer may be minimal.