In the Target incident, nearly 50 million cards were compromised and in the past the banks have borne the costs of replacements but until this year, the breaches have never been so large. The new ruling allows banks to sue the merchants if there is enough evidence to prove that the company was "negligent" in securing their networks and customer data.
In the case of Target, a number of banks sued claiming that Target "ignored security software alerts and disabled some of its security features" before they were attacked, and the judge agreed.
"Plaintiffs have plausibly alleged that Target's actions and inactions -- disabling certain security features and failing to heed the warning signs as hackers' attack began -- caused foreseeable harm to plaintiffs," Judge Magnuson wrote in his ruling. "Plaintiffs have also plausibly alleged that Target's conduct both caused and exacerbated the harm they suffered."
Before the cyber attack, Target had installed state-of-the-art $1.6 million advanced breach detection software from FireEye but allegedly ignored numerous warnings from the technology until it was much too late.
Source:
NYT