A group of First Farmers & Merchants banks in southern Minnesota has sued Target Corp. over alleged damages from the retailer's data breach late last year.
While a number of financial institutions from around the country have sued the company since news of the data heist broke, the First Farmer & Merchants lawsuit is believed to be the first by a financial institution on Target's home turf in Minnesota.
"The way that this has happened, it's the banks whose exposure is greatest here, " said Garrett Blanchfield, a lawyer at Reinhardt Wendorf & Blanchfield in St. Paul representing the local banks. "We think the Minnesota laws provide a sound basis for us."
The complaint doesn't specify a damage amount but says the banks have had to refund fraudulent charges, close and reopen checking and savings accounts and cancel and re-issue credit and debit cards.
As of February, banks and credit unions nationally estimated they've spent more than $200 million replacing credit and debit cards whose data were snatched in the attack on the retailer's computer system.
The banks are First Farmers & Merchants National Bank in Luverne, First Farmers & Merchants National Bank in Fairmont, First Farmers & Merchants State Bank in Brownsdale, First Farmers & Merchants State Bank of Grand Meadow and First Farmers & Merchants Bank in Cannon Falls.
The sister banks, which make a lot of agricultural loans, together have assets of about $657 million, and employ about 166 people, government filings show. They are subsidiaries of Minneapolis-based 215 Holding Co. The group of banks declined to comment on the lawsuit.
Suit could test 2007 law
The suit, filed Saturday in U.S. District Court in Minnesota, could be the first test of Minnesota's "Plastic Card Security Act," some attorneys say. The 2007 law requires a merchant that improperly holds payment card data and doesn't adequately protect it to reimburse financial institutions for any losses from a breach.
Minnesota is one of about three states with such a law, said George Meinz, a principal in Gray Plant Mooty's St. Cloud office who counsels financial institutions on payments compliance.
"This is really a national stage for this law and it's rather unique in the U.S.," Meinz said.
The banks accuse Target of negligence, negligence per se, breach of contract and violating the Plastic Card Security Act.
Target is in the middle of several investigations into the cyberattack. Target spokeswoman Molly Snyder said the company doesn't comment on litigation.
The nation's No. 2 discount retailer continues efforts to reassure the public. It posted a message from CEO Gregg Steinhafel on its website Monday saying the company decided to disclose that the personal information of as many as 70 million customers had also been stolen, in addition to the payment information of 40 million people, even though "the number of people affected was likely to be exaggerated and misunderstood."
Steinhafel said that "a number of those 70 million entries were duplicative" and that there is overlap between the hacked credit card data and personal information. He didn't characterize how much overlap.
"We knew many reports would simply, and incorrectly, combine the 40 million and 70 million figures to arrive at 110 million total affected guests," Steinhafel said in the message. "And sure enough, many did."
Snyder said the company may not ever know how much overlap there is between the two sets of stolen data.