On Tuesday a District Court judge in Minnesota ruled that banks could sue Target in a class-action lawsuit (PDF) alleging that the big box retailer was negligent in its protection of the credit card data it took from customers.
In 2013, Target sustained what the judge called “a massive breach” of its Point of Sale (POS) network. Hackers were able to place malware on Target’s POS system just before the holiday season, resulting in the theft of 40 million consumer credit card numbers as well as personal information like phone numbers and e-mail addresses from some 70 million customers.
A year later, banks asked to be able to sue Target for its negligence, and the judge granted the request. This marked an interesting twist in Target’s data breach saga—while the cost of credit card fraud is usually left up to the issuer to shoulder (hence the interchange fees that merchants are forced to pay), here the legal system would be used to cover some of the fraud costs if the plaintiffs could prove that Target was negligent in securing its systems.