From November 27, through December 15, 2013, hackers stole credit card numbers and encrypted debit card PIN data from as many as 40 million credit and debit cards swiped at Target. The security breach was the second-largest data breach in United States retail history. According to Target, it “alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.” In a letter to customers, Target warned that customer names, credit and/or debit card numbers, expiration dates, and the CVV (security codes) were stolen. Target is facing significant financial ramifications including legal costs as well as owing money to the credit card companies that must reimburse their customers. Target also faces significant damage to its reputation.
Several months ago, Forbes magazine reported on class action lawsuits over the failure of businesses to secure consumers’ personal data, such as what occurred in the Target breach. While the filing of such cases may become the trend, it does not appear that they will be successful as recent cases have been dismissed for failure to prove standing. The judges in those cases have specifically ruled that the possibility of future injury in the form of an increased risk of identity theft, is insufficient to establish a present injury, and thus, plaintiffs do not have standing.
Interestingly, just two months before the Target data breach, California Governor Jerry Brown signed into law an amendment to California’s Security Breach Notification Act. According to Forbes, the new law requires “consumer notification if ‘a user name or email address, in combination with a password or security question and answer that would permit access to an online account’ was compromised. The law applies even if that information is not combined with a name, and applies to all types of online accounts.”