Published on:

Liability for Cybersecurity Breaches Still Uncertain for Many Businesses

Many businesses routinely make use of customers’ personally identifiable information (PII), such as names, dates of birth, addresses, and credit card numbers. Now that nearly all business financial activities are computerized and networked, cybersecurity is a major concern. In addition to the risk that a breach by hackers will compromise a company’s own sensitive information, theft of customers’ PII could result in liability to affected customers. Courts around the country have reached different conclusions regarding this issue. The Ninth Circuit Court of Appeals has held that the risks associated with theft of PII confer standing on a plaintiff. Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010). It remains somewhat unclear, however, exactly what sort of harm a plaintiff must have suffered in order to recover damages.

A very high-profile data breach occurred recently, when hackers stole millions of credit and debit card numbers from the retail chain Target’s computer system. Between November 27 and December 15, 2013, hackers reportedly stole financial information for about 40 million customers. In early January, the company announced that credit and debit card numbers for another 70 million customers had been compromised. The company offered identity theft protection and a year of credit monitoring, all free of charge, to its affected customers. Shortly after it announced the first data breach, however, the lawsuits began.

Customers started filing lawsuits against Target, including both individual and putative class action claims, in December 2013. On April 2, 2014, the Judicial Panel on Multidistrict Litigation (JPML) consolidated the claims in a single U.S. District Court for pretrial matters that are likely to be common to all of the claims. In re Target Corp. Customer Data Security Breach Litigation, No. 0:14-md-02522, transfer order (D. Minn., Apr. 2, 2014). As of June 16, 2014, the consolidated case includes 109 pending lawsuits asserting similar claims against Target.

At least three of the lawsuits originated in the U.S. District Court for the Northern District of California: Kirk v. Target Corp., No. 3:13-cv-05885 (N.D. Cal., Dec. 19, 2013); Wredberg v. Target Corp., No. 3:13-cv-05901 (N.D. Cal., Dec. 19, 2013); and Guzman, et al v. Target Corp., No. 3:13-cv-05953, complaint (N.D. Cal., Dec. 24, 2013). All three cases allege negligence, claiming that Target breached its “duty to exercise reasonable care in safeguarding and protecting [the plaintiffs’] information from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.” Kirk, complaint at 13.

The lawsuits also allege violations of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq., such as the “failure to disclose information concerning the data breach directly and promptly to affected customers.” Wredberg, complaint at 8. Two of the suits, Kirk and Guzman, allege civil liability for failure to safeguard customer records as required by Cal. Civ. Code §§ 1798.80, et seq.

If you or your business has a dispute over a contract or other business matter, a skilled business and commercial lawyer can advise you of your rights and protect your interests. Cirrus Law PC has represented Bay Area businesses since 1976. To schedule an initial confidential consultation to discuss your case, please contact us today online or at (925) 463-1073.

More Blog Posts:

Supreme Court Limits Jurisdiction of U.S. Courts over Foreign Corporations with Domestic Subsidiaries, Pleasanton Business & Commercial Law Blog, March 28, 2014

FTC Announces $3.5 Million Settlement, One of the Largest Ever, in FCRA Lawsuit, Pleasanton Business & Commercial Law Blog, February 26, 2014

Corporate Managers Held Personally Liable by California Court for Tortious Interference in a Subsidiary’s Contract, Pleasanton Business & Commercial Law Blog, January 31, 2014


Contact Information