Target's data woes will be costly

The massive consumer data breach at Target Corp. potentially exposes the company to years of litigation that could eventually cost it hundreds of millions of dollars.

In addition to thieves swiping the credit and debit card information from 40 million customers, the Minneapolis-based retailer disclosed Friday that the same criminals acquired names, addresses, and phone numbers from up to 70 million additional accounts.

The loss of such personal information significantly strengthens the legal cases of banks, credit unions and individuals looking to sue Target for fraud, negligence and invasion of privacy, some legal analysts say. Unlike credit and debit cards, which banks can quickly cancel or replace, most consumers are not about to change their names or where they live.

"It adds a lot more firepower [to lawsuits]," said Jack Tomarchio, an attorney who specializes in cybersecurity and data protection for the Buchanan Ingersoll and Rooney law firm in Philadelphia.

Normally, a plaintiff would need to prove specific damage from a data breach. "But the more personal information thieves stole, just the invasion of privacy claim alone could be enough [to prevail]," Tomarchio said.

Target spokeswoman Molly Snyder said the company does not comment on future or pending litigation. The company has said customers would have "zero liability" for any damage they suffer due to the theft of its data. It has offered to provide free credit monitoring and identity theft protection for customers for a year, and will announce details of that program soon.

Target, the nation's second-largest retailer with more than 1,900 stores and 360,000 employees, already faces at least 10 lawsuits seeking class-action status, Tomarchio said — a number that many legal analysts expect to climb.

The most significant question shadowing Target's legal exposure is how many customers had both their credit card information and personal information stolen, a possibility the company has acknowledged.

"There could be some overlap," Snyder said Friday.

Taken together, the data breach allows thieves not only to use the credit card information to make purchases, but to steal identities by creating false driver's licenses and other forms of identification. Such a scenario could lead to more-extensive fraud and greater legal exposure for Target, Tomarchio said.

For now, legal analysts say it's difficult to assess the extent of Target's liability given the still-evolving circumstances. But Eric Mazur, managing director at Huron Consulting Group, says it would cost banks at least $100 per card to cancel accounts and reissue cards because of the data breach.

Combined with consumer claims, "the cost to Target could be astronomical," said Mazur, whose specialties include computer forensics.

T.J. Maxx paid $168 million

In 2007, thieves stole consumer information from an estimated 100 million cards used at T.J. Maxx. The retailer ultimately paid out a total of $168 million in settlements, legal and regulatory costs. The breach at Target appears to be deeper and more damaging, some analysts say.

Normally, large corporations carry a general liability insurance policy to cover these types of bills. In Target's case, the company is self-insured, meaning the retailer sets aside a certain amount of money each year for potential losses.

Target put a total of $1.2 billion in fiscal years 2012 and 2011 into reserves to cover general liabilities and workers' compensation, according to documents filed with the Securities and Exchange Commission.

"We believe that the amounts accrued are appropriate," the filing said. "However, our liabilities could be significantly affected if future occurrences or loss developments differ from our assumptions."

For example, a 5 percent increase or decrease in average claim costs could have altered Target's self-insurance expenses by $31 million in fiscal 2012.

The company noted that insurance claims rarely are material to its financial statements. But Target has never experienced a data theft of this magnitude before — it is at least the second-largest known breach in U.S. retail history.

A key part of Target's legal defense will be whether the company can argue that it took "reasonable" steps to safeguard the data, such as employing a third party to ensure that its systems met industry standards, Tomarchio said.

Much of that depends on the outcome of Target's forensic investigation into how the thieves stole the information in the first place. Normally, companies are not supposed to store financial information (credit cards, PIN numbers) and personal information (names, addresses, phone numbers) in the same place, Mazur said.

"That's what puzzles me," Mazur said. "I'm not quite sure how the thefts of both sets of information happened."

In any case, Target should resolve these lawsuits as soon as it can, said Randy Maniloff, an insurance attorney with the White and Williams law firm in Philadelphia. Otherwise, the threat of legal liability will linger over shareholders for years, he said.

"You don't want unquantifiable uncertainty on your books."

Thomas Lee • 612-673-4113