At the height of the holiday shopping season, Target Corp. (TGT:NYSE) announced that customer credit card data had been compromised. The breach reportedly occurred between November 27 and December 15, 2013. Initially, Target reported that only credit card data had been accessed — not debit card data or Target’s own credit card. Target assured customers that debit card PIN data had not been compromised. Though the breach was large — 40 million customers — Target promised that the financial harm would be limited: “You will not be responsible for fraudulent charges — either your bank or Target have that responsibility.”
The scope of the breach has grown since the initial disclosure. In addition to the payment data that was previously disclosed, Target reported that “names, mailing addresses, phone numbers or email addresses for up to 70 million individuals” had been taken. Target has confirmed that encrypted PIN data for debit cards was taken as well. Target again told customers — but not lenders and credit unions — that they would “have zero liability for the cost of any fraudulent charges arising from the breach.”
Target’s customers, and the lenders that issued their credit and debit cards, are potentially on the hook for at least some of the unauthorized charges. While the liability of credit card customers tops out at $50, the liability of debit card holders is not as clear. Depending on when a debit card customer notices and reports the unauthorized charge, he or she can be liable for $500 of unauthorized charges if the loss is not reported within two days. Also, refunds to debit cards can take much longer to process, leaving people with limited or no funds to pay bills and buy essential items until the unauthorized charge is reversed.
Lenders issuing the compromised credit and debit cards are on the hook as well. Indeed, some credit unions have already taken action to hold Target accountable for their losses. These lenders have claims for money refunded to their customers for fraudulent charges, and for the cost to close accounts, and reissue new checks, debit cards and credit cards — all during the peak of the holiday season.
Whether filed by consumers or lenders, the cases against Target will address whether it maintained adequate computer data security of customer credit and debit card information. When processing transactions for cards bearing the logos of Visa, Master Card and others, Target is prohibited from storing unprotected information of cardholders. Yet, that is precisely the information that was compromised.
As the use of electronic payment methods continues to skyrocket, protecting the confidentiality of that information is paramount. While the loss of data security at Target is alarming for its scope and timing, the fact is that these incidents are occurring regularly throughout the United States. In the last week, Neiman Marcus disclosed that some of its customer payment card data was compromised. Customers, lenders and credit unions should be careful to protect their right to be made whole when these breaches occur. While Target has vowed to absorb any loss, it has not yet done so and, indeed, has not yet determined the extent of the loss or the limits of its liability.
Three Tips to Protect Your Identity:
- You should carefully watch activity on your account statements and immediately report any unauthorized charges. This is particularly important if you used a debit card at Target.
- The scope of the breach, and the accessibility of your personal information, is mostly unknown at this point. It is important that you remain vigilant and continue to monitor your payment card activity in the coming months.
- Target lost customer names, email addresses and other personal information, so you should be careful not to respond to phishing emails which would compromise more of your personal information.
Strauss Troy is investigating potential claims for consumers and lenders arising out of the Target data breach. If you would like to discuss a potential claim, call me at 513.629.9417 or Ron Parry at 513.629.9485.