Judge Magnuson dismissed Target's arguments that it should only be liable for Minnesota transactions, and that the company shouldn't be liable for data stolen from point of sale terminals instead of from its databases.
Target did store some data in violation of the state law, specifically the CVV codes for the payment cards, which made the breach more serious, Magnuson said.
The decision as a whole is an important one for the retail industry, said Amy Mushahwar, counsel and Chief Information Security Officer at Washington, D.C.-based ZwillGen PLLC.
"This is a ruling that we're all going to be living with for a very long time."
The case builds on the existing agreements between merchants and payment card processors, she added.
"When you get a merchant account, you agree to be responsible for any fraudulent charges that result from you not being PCI DSS compliant," she said, referring to the Payment Card Industry's Data Security Standard.
This ruling just solidifies the premise that's already been established, she said.
"Realistically, though, what is most concerning about the target breach, is that the breach happened via an HVAC vendor," she said. "This was not a segment of Target's network that it viewed as being a part of the payment card network."
Turning off alerts altogether isn't an option, she added, since companies must have the ability to respond to incidents. But as companies move to technology that prioritizes some alerts over others, they need to be careful about potentially giving up control.
"There are new systems where much of the tuning of the alerting functions and capability happens at the device level and program level, so that companies are getting less visibility in their alerting functionality," she said. "So this problem will become even more difficult."
Magnuson's ruling could have been even worse for retailers if he had sided with the banks on the definition of the word "retain." Although Target did not save credit card numbers, the hackers themselves temporarily stored the numbers on Target's servers so that Target was, technically, in possession of those numbers. The ruling sidestepped the question of whether Target was liable for this, leaving this issue still up in the air.
Sign up for Computerworld eNewsletters.