Enter to open, tab to navigate, enter to select
District Court Certifies Class in Target Data Breach Case
Practical Law Legal Update 9-618-8586 (Approx. 4 pages)
District Court Certifies Class in Target Data Breach Case
by Practical Law Intellectual Property & Technology
| Published on 22 Sep 2015 • USA (National/Federal) |
In In re Target Corp. Customer Data Security Breach Litigation, the US District Court for the District of Minnesota granted a motion for class certification creating a class of financial institutions that had issued payment cards compromised in the data breach that occurred at Target Corp. The court dismissed Target's arguments against the certification and found that the plaintiffs had met all the requirements for class certification, including the commonality and predominance requirements.
On September 15, 2015, in In re Target Corp. Customer Data Security Breach Litigation, the US District Court for the District of Minnesota granted a motion for class certification creating a class of financial institutions that issued credit and debit cards compromised in the data breach that occurred at Target Corp. in 2013 (No. 14-2522, (D. Minn. Sept. 15, 2015)). The court rejected Target's arguments opposing certification and found that plaintiffs had met all the requirements for class certification, including the commonality and predominance requirements.
This case arises from a 2013 data breach of Target's computer system that gave hackers access to the financial information of more than 40 million consumers. The financial institutions that issued the consumer credit and debit cards compromised during the data breach filed suit against Target alleging that they suffered injury replacing cards for customers, reimbursing fraud losses and taking various other remedial steps. The plaintiffs claimed that Target:
- Was negligent in failing to provide sufficient security to prevent hackers from accessing customer data.
- Violated Minnesota's Plastic Card Security Act (PCSA), which also constituted negligence per se.
The financial institution plaintiffs sought class certification under FRCP 23(b)(3) and Target opposed the motion. Target argued that class treatment on plaintiffs' negligence and PCSA claims was improper because:
- Plaintiffs' negligence claims are subject to the conflicting laws of different states.
- Plaintiffs' injuries are "risk of future harm" injuries that cannot be supported by class-wide proof.
- Plaintiffs were not required by law to reissue customer cards and thus, the decision to reissue cards was a business decision, not an injury proximately caused by the data breach.
- There can be no class-wide proof to show whether a bank's remedial actions were reasonable or were undertaken as a result of the breach.
Target also argued that the following damages issues preclude class treatment:
- Plaintiffs lack standing because they had not established that all members suffered injury.
- The Seventh Amendment prohibits class treatment because Target has comparative fault affirmative defenses to liability, which vary significantly from class member to class member and must be heard by the same jury that hears plaintiffs' evidence on liability.
- The damages from card replacement and fraud loss reimbursement must be calculated on a bank-by-bank basis and therefore, individual damages issues predominated over any potential class-wide issues.
The court rejected Target's arguments and found that the plaintiffs had met the requirements for class certification under FRCP 23(b)(3). With respect to the substance of plaintiffs' negligence and PCSA claims, the court explained that:
- Even if the class members' states have substantively conflicting negligence laws, Minnesota law applies to the entire class because there are sufficient contacts between Minnesota and the action. The court pointed out that:
- Target is headquartered in Minnesota; and
- Target's decisions regarding how to thwart malware were largely made in Minnesota.
- The case is not a "risk of future harm" case because plaintiffs already suffered harm, including by having to reissue cards to their customers.
- Legal necessity of remedial action is not required to establish injury or causation and a reasonable jury could find that plaintiffs' remedial actions were warranted and proximately caused by the data breach.
- Whether plaintiffs' remedial actions were reasonable in the face of the data breach could be determined class-wide and need not be examined with respect to each institution individually.
Target's damages arguments did not prevent class certification because:
- It was clear that every financial institution whose customers' cards were stolen in the breach suffered an injury in fact and therefore has standing.
- All of Target's affirmative defenses, including its comparative default defenses, relate to the amount of damages and not liability. Thus, there is no Seventh Amendment issue.
- Losses related to customer card replacement and fraud loss reimbursement could be calculated on a class-wide basis.
- Even if some individualized proof of damages is required:
- plaintiffs made a sufficient showing at this stage; and
- if class-wide damages ultimately could not be calculated, a damages class could then be decertified and damages questions determined after the liability phase ends.
The court further found that Target's arguments against the other class certification requirements essentially rested on the predominance and commonality questions already discussed and dismissed them accordingly. The court granted the motion for class certification and appointment of class representatives and class counsel.
The court also distinguished In re TJX Cos. Retail Security Breach Litigation, the only other financial institution data breach case to reach the class certification stage (246 F.R.D. 389 (D. Mass. 2007).) In that case, the district court denied certification because the claims were for misrepresentation and consumer fraud, both of which required proof of each plaintiff’s individual reliance, making proof of class-wide liability impossible.