The financial hit for credit card breach could run into hundreds of millions of dollars for the self-insured retailer.
The massive consumer data breach at Target Corp. potentially exposes the company to years of litigation that could eventually cost it hundreds of millions of dollars.
In addition to thieves swiping the credit and debit card information from 40 million customers, the Minneapolis-based retailer disclosed Friday that the same criminals acquired names, addresses, and phone numbers from up to 70 million additional accounts.
The loss of such personal information significantly strengthens the legal cases of banks, credit unions and individuals looking to sue Target for fraud, negligence and invasion of privacy, some legal analysts say. Unlike credit and debit cards, which banks can quickly cancel or replace, most consumers are not about to change their names or where they live.
“It adds a lot more firepower [to lawsuits],” said Jack Tomarchio, an attorney who specializes in cybersecurity and data protection for the Buchanan Ingersoll and Rooney law firm in Philadelphia.
Normally, a plaintiff would need to prove specific damage from a data breach. “But the more personal information thieves stole, just the invasion of privacy claim alone could be enough [to prevail],” Tomarchio said.
Target spokeswoman Molly Snyder said the company does not comment on future or pending litigation. The company has said customers would have “zero liability” for any damage they suffer due to the theft of its data. It has offered to provide free credit monitoring and identity theft protection for customers for a year, and will announce details of that program soon.
Target, the nation’s second-largest retailer with more than 1,900 stores and 360,000 employees, already faces at least 10 lawsuits seeking class-action status, Tomarchio said — a number that many legal analysts expect to climb.
The most significant question shadowing Target’s legal exposure is how many customers had both their credit card information and personal information stolen, a possibility the company has acknowledged.
“There could be some overlap,” Snyder said Friday.
Taken together, the data breach allows thieves not only to use the credit card information to make purchases, but to steal identities by creating false driver’s licenses and other forms of identification. Such a scenario could lead to more-extensive fraud and greater legal exposure for Target, Tomarchio said.
For now, legal analysts say it’s difficult to assess the extent of Target’s liability given the still-evolving circumstances. But Eric Mazur, managing director at Huron Consulting Group, says it would cost banks at least $100 per card to cancel accounts and reissue cards because of the data breach.
Combined with consumer claims, “the cost to Target could be astronomical,” said Mazur, whose specialties include computer forensics.
T.J. Maxx paid $168 million
In 2007, thieves stole consumer information from an estimated 100 million cards used at T.J. Maxx. The retailer ultimately paid out a total of $168 million in settlements, legal and regulatory costs. The breach at Target appears to be deeper and more damaging, some analysts say.
Normally, large corporations carry a general liability insurance policy to cover these types of bills. In Target’s case, the company is self-insured, meaning the retailer sets aside a certain amount of money each year for potential losses.
Target put a total of $1.2 billion in fiscal years 2012 and 2011 into reserves to cover general liabilities and workers’ compensation, according to documents filed with the Securities and Exchange Commission.
“We believe that the amounts accrued are appropriate,” the filing said. “However, our liabilities could be significantly affected if future occurrences or loss developments differ from our assumptions.”