Target has filed a motion to dismiss a class action complaint filed by a number of banks related to the December 2013 attack by hackers resulting in the massive breach of customers’ credit/debit card information. The banks’ class action seeks damages related to the costs incurred when the banks issued new cards and reimbursed fraudulent charges.

In the brief in support of its motion to dismiss, Target claims the banks do not have a viable action because there is no “special relationship” between Target and the banks requiring Target to protect the banks against criminal conduct of third parties. Specifically, Target takes the position that the banks could not sue Target because the banks and Target do not deal directly with each other when a person uses a credit card for a purchase at Target. Rather, when customers swipe a credit card at Target, Target gets an authorization for the purchase from a processing center rather than from the bank. In turn, the banks receive authorization for the same purchase under the terms of their contracts with a credit card company.

Even though the court has yet to decide this issue, Target’s position demonstrates the complexities of establishing a viable cause of action in data breach cases. In addition to establishing liability based on the conduct of a third party, plaintiffs in these cases are required to untangle the webs created by highly technical issues (“custom point-of-sale malware” at Target cash registers) coupled with the various contracts and obligations controlling the private data and information. This burden is substantial even for sophisticated litigants such as the banks in the Target case.