Umpqua Bank Files Class Action Lawsuit Against Target; Survey Asks Whether Retailer Should be Held Liable for Losses Incurred by Credit Unions and Banks

March 25, 2014

Should Target be held liable for breach-related losses incurred by credit unions and banks?

Take the Survey

Should Target be held liable for breach-related losses incurred by credit unions and banks?

That’s the question the Portland Business Journal is asking in an unscientific poll this week after learning that Portland-based Umpqua Bank has become the latest financial institution to file a class action lawsuit against the retailer over the massive theft of financial data during last year’s holiday shopping season.

The lawsuit, filed March 10 in U.S. District Court in Minnesota, claims the retailer failed to maintain adequate data security protocols, resulting in a massive hack that compromised the payment-card and personal information of more than 110 million Target customers nationwide. In addition to “track data” from debit and credit cards, thieves also stole customer names, mailing addresses, phone numbers and email addresses in what was one of the biggest thefts of its kind in U.S. history.

Nearly 80 lawsuits have been filed against Target as a result of the heist, but cybersecurity attorney and financial fraud expert Joseph Burton told the website Data Breach Today that the Umpqua suit is unique. It alleges violations of the Minnesota Plastic Card Security Act, which prohibits retailers doing business in Minnesota, Target’s headquarters, from retaining sensitive card stripe data after authorization of the transaction.

“The law also requires a retailer who has violated this prohibition to reimburse the costs incurred by any financial institution which issued payment cards affected by the breach of the retailer’s system,” Burton told Data Breach Today. “While a number of states had in the past professed an interest in passing similar statutes, Minnesota is the only one that has done so.”

Umpqua is seeking class action status for its lawsuit, with the class comprised of all financial institutions — including banks and credit unions — that had customer accounts compromised as a result of the data breach. Umpqua is also seeking a sub-class specifically for financial institutions in Oregon.

Umpqua claims in the lawsuit that it and other financial institutions have incurred staggering costs associated with protecting consumers’ accounts. Some estimates put the total at about $200 million; a survey by the Credit Union National Association puts the cost to credit unions alone at about $30.6 million, including $2.6 million in the Pacific Northwest.

That total reflects the cost of reissuing credit and debit cards, as well as costs for additional staffing, member notification and account monitoring. It does not include fraud losses, which CUNA and the Umpqua lawsuit say are likely to occur later and could be substantial.

Umpqua is asking the court for a jury trial and is seeking relief that includes actual damages, compensatory damages and punitive damages. The bank is seeking relief from Target, the lawsuit says, because, “in situations such as these, where over 100 million consumer accounts have been compromised and are being actively traded on the black market, financial institutions become the de facto insurer of the negligent retailer.”

Most Portland Business Journal readers apparently believe that shouldn’t be the case. Through Tuesday:

  • 65 percent of those responding to the newspaper’s survey say Target should be held liable for fraud-related losses incurred by financial institutions;
  • 20 percent say Target should not be held liable; and
  • 15 percent say they aren’t sure.

To take the survey, go to the Portland Business Journal’s website. The lawsuit filed by Umpqua Bank is available online here.

Questions about this story? Contact Gary M. Stein: 503.350.2216,

Posted in Article Post.