U.S. District Judge Paul Magnuson on Tuesday certified a class action lawsuit brought by several banks against Target over the company's massive 2013 data breach, which exposed at least 40 million customers' credit card information, Reuters reports.
Target spokeswoman Molly Snyder told Reuters the company is "disappointed" by the ruling and is evaluating its next steps.
"This important ruling brings financial institutions one step closer to collectively holding Target accountable for its unprecedented data breach," Charles Zimmerman, one of the lead lawyers representing the banks, said in a statement.
The ruling follows Target's recent agreement to pay as much as $67 million to financial instutitions that issue Visa cards -- a proposed $19 million settlement with MasterCard fell through earlier this year because an insufficient percentage of affected banks supported the deal.
Carrie Hunt, senior vice president of government affairs and general counsel at the National Association of Federal Credit Unions, said in a statement that the organization is pleased with the decision to certify the class action. "As we have consistently maintained, credit unions deserve to be made whole for their losses, and this includes the opportunity to pursue all legal options available," she said. "Today’s class certification constitutes one important avenue for recovery."
Still, Hunt said, the lawsuit is only one part of the equation. "To prevent these types of data breaches in the future, Congress must act to protect consumers' financial information by enacting national data security standards for retailers and holding them directly accountable for their data breaches," she said.
STEALTHbits channel marketing manager Jeff Hill noted by email that U.S. courts have thus far been reluctant to side with plaintiffs against breached enterprises, let alone to certify class action suits. "This Target decision joins the recent loss by Wyndham in its five-year battle against the Federal Trade Commission's asserted right to regulate enterprise cyber security in the bad news bucket for any organization with a computer network and data to protect," Hill said.
"This decision raises the stakes yet again for organizations that were the victims of a data breach," STEALTHbits marketing manager Nathan Sorrentino added. "A new precedent has been set -- be prepared to not only face financial backlash from the general public, but from the banks and credit card companies as well."
Photo courtesy of Shutterstock.