Consumers: The Pac-Man of Retail Liability

Seth Fortenbery, KLJ Staff Editor[1]

In the wake of ever-increasing retail data breaches—including most recently those at Target,[2] Sony,[3] and Home Depot,[4]—notions of consumer data protection are trending.  And while consumers see that damages from these breaches are often six figures or greater, it is unclear that these figures, or the current liability scheme, are adequate to incentivize tighter security of your financial information.  For consumers to affect the security measures taken by corporations, they will likely have to collectively direct their spending power.

While the current liability scheme has money damages from data leaks rising well into the millions, the portion borne by large corporations can seem like a drop in the bucket.  Take Target’s recent 2013 breach for example; after tax deductions and insurance payments, Target has amassed around $105 million in damages from the breach; this figure is around 0.1% of its revenue for 2014.[5]  A 2014 high profile hack of Sony was estimated to be a loss to the company equating to 0.9-2.0% of projected sales in 2014.[6]  Another 2014 hack, this one of Home Depot, was estimated to have resulted in a cost of 0.01% of the year’s sales.[7]  And while the average large corporation lost $12.7 million in 2014 due to data breaches,[8] updating cybersecurity systems can cost much more than the breaches themselves.[9]  The relatively low cost of data breaches suggests that they are not so crippling as to deter large corporations from passing them on to consumers the following year, or simply accounting for them in annual budgets.

This is possible because the current liability scheme does not require retail corporations to ultimately bear the entire consequences of leaking your data.  While your financial information is compromised by the retail corporation, it is your financial institution (your bank, credit card company, etc.) that reimburses you for fraudulent charges.[10]  Once a breach occurs, however, it would seem that financial institutions should be able to recover their reimbursement expenses from the retail corporation, since the retail corporation was the bad actor.  But since fraudulent protection programs on your bank account are contracted strictly between you and your bank, it is unclear that retail corporations would be liable when those programs are triggered; since the financial institutions are making those guarantees as a way to lure in consumers, they likely bear some of the financial risks when fraud occurs.  And in practice, settlement agreements offered by retail companies have covered much less than the full amount financial institutions reimbursed to consumers.[11]

Finally, retail corporations do not fear lawsuits by consumers.  Difficult standing requirements in federal court make it nearly impossible for litigants to cognize a legal injury; after all, consumers have been reimbursed for fraudulent charges on the front end by financial institutions, and the Supreme Court has yet to rule on whether potential future harm resulting from the breach is too speculative for legal injury.[12]  Such a view, however, fails to consider that financial institutions are playing with house money—their losses are simply reflected in the fees paid by consumers for fraud protection programs.[13]  This means the portion of liability they absorbed from retail companies is ultimately passed onto the consumer, leaving the bad acting retail corporations paying less than full price for leaking your information and having less incentive to update cybersecurity.

Rather than reimbursement of financial institutions or costs of upgrading their cybersecurity after a breach, it is the loss of consumer good will that corporations fear the most.  It is almost impossible to predict or quantify the losses that a corporation will face when consumer trust and goodwill erode. [14]  So the bottom line:  consumers still have power to affect corporate cybersecurity, but it comes through foregoing shopping at certain retailers, not the existing liability scheme.

[1] J.D. expected May 2017.

[2] See Target Confirms Unauthorized Payment to Credit Card Data in U.S. Stores, (Dec. 19, 2013),

[3] See FBI National Press Office, Update on Sony Investigation, (Dec. 19, 2014),

[4] See Home Depot Customer Update on Data Breach, (2014),

[5] See Hackett, How Much Do Data Breaches Cost Big Companies? Shockingly Little, (Mar. 27, 2015, 5:28 AM),

[6] Id.

[7] Id.

[8] Ponemon Inst., 2014 Cost of Cyber Crime Study:  United States (2014).

[9] Skariachan & Wahba, US Retailers Face Pressure to Raise Cyber security Spending, Reuters (Feb. 5, 2014, 5:52 AM), security-idUSBREA1409H20140205 (noting Target spending around 100 million dollars to convert to a “chip” credit card system for security purposes).

[10] Sandeep Dhameja, et al., Clarifying Liability for Twenty-First Century Payment Fraud, 37 Economic Perspectives pt. 3, 111 (2013).

[11] See Settlement Agreement between Mastercard Corporation and Target Corporation, Privacy and Sec. Matters at 9, (Apr. 15, 2015), (limiting recovery to 71.4% of normal recovery amount and capping total recovery at $19,000,000 for all financial institutions issuing Mastercards and opting in.).

[12] Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 185 (2013) (requiring that actual injury must result to the consumer from the breach—injury that must be “concrete, particularized…and fairly traceable to the challenged action.”).

[13] See Consumer Action, Questions and Answers About Credit Card Fraud, at 11 (2009) (accessed at

[14] See Hackett, How Much Do Data Breaches Cost Big Companies? Shockingly Little, (Mar. 27, 2015, 5:28 AM),