Just days after acknowledging a massive hack of customer credit card data, Target is facing several lawsuits. And more could be on the way.
Customers in California, Oregon and Rhode Island have filed purported class actions in federal courts, alleging Target was negligent and did not protect their card information.
Target said last week that 40 million credit and debit card numbers, expiration dates and security codes had been stolen. It said it was cooperating with law enforcement and had contracted a private investigation firm. Target also said it began notifying banks, as well as "millions" of customers directly for whom it had email addresses.
It provided little information about how the hack took place until Monday, when spokeswoman Molly Snyder said investigators were looking at "malware that affected Target's point-of-sale system in our U.S. stores." She said the company was withholding additional details at the request of law enforcement.
Plaintiffs in California and Oregon alleged Target "failed to implement and maintain reasonable security procedures and practices."
Robert Ahdoot, a lawyer for the California plaintiffs, said he spoke to customers who claimed unauthorized ATM withdrawals had been made from their accounts.
"Target has an obligation to provide adequate security for the financial information they collect," Ahdoot said.
The Rhode Island suit also alleged negligence, and claimed customers would not have purchased from Target if they knew of the breach, which lasted from Black Friday through mid-December but was not disclosed until last week.
Snyder, the Target spokeswoman, said the company doesn't "comment on pending litigation."
Filing the suit is the first step but a judge would have to certify that affected customers constitute a "class."
A class action is "a different animal in legal work" from other types of cases, said Anne Bremner, a defense lawyer who has handled many such cases.
Judges would consider whether members of the class were similarly damaged; whether the plaintiffs are typical of and can adequately represent the class; and whether individual lawsuits would be impractical.
Target, she said, could choose to argue the plaintiffs haven't shown they were damaged by the breach.
"You can't just sue because something happened," Bremner said. "You have to have a claim and a damage."
And additional suits against Target could be filed in coming weeks, including some in state courts. Judges could decide to consolidate these and others into an individual lawsuit against the retailer.