Donna Wilson of Manatt, Phelps & Phillips, LLP writes:
Banks continue to file suit against retailers, hoping to shift the costs of data breaches, with some recent success.
In January 2016, hackers accessed Eddie Bauer’s point-of-sale register system and installed malicious software that infected every Eddie Bauer store in the United States and Canada. Using the malware, the hackers were able to steal credit and debit card data from the system and sell it to third parties, who made fraudulent transactions on those payment cards.
Earlier this year, Veridian Credit Union filed suit against the national retailer, alleging that it suffered significant property damage to the unique data included on the payment cards and financial losses in connection with covering its customers’ losses due to the data breach, such as reissuing credit and debit cards to its customers.
Veridian claimed that the data breach and its injury were the foreseeable results of Eddie Bauer’s inadequate data security measures, which the company knew were insufficient to protect against recognized threats. Eddie Bauer moved to dismiss.
After deciding that Washington law applied to the action, U.S. District Judge James L. Robart denied the motion, allowing the suit to move forward on Veridian’s negligence claim.
Read more on JDSupra. The Eddie Bauer case is getting a lot of attention, and rightfully so, I think. Not every state has a law like Washington’s, but would this be one way to get businesses more worried about successful litigation and costs of a breach?