Privacy & Information Security Law Blog

On September 15, 2015, Judge Magnuson of the U.S. District Court for the District of Minnesota certified a Federal Rule of Civil Procedure 23(b)(3) class of financial services institutions claiming damages from Target Corporation’s 2013 data breach. The class consists of “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.”

The plaintiff financial institutions assert claims for negligence, violations of Minnesota’s Plastic Security Card Act (“PSCA”) and negligence per se (based on the alleged violation of the PSCA). The alleged damages include the costs of providing replacement cards, and reimbursing fraud losses and other post-breach remediation expenses.

The focus of Target’s class certification argument and the court’s analysis was on the intertwined concepts of commonality and predominance. Target argued that: (1) choice-of-law issues would overwhelm the other issues; (2) there was no class-wide proof to support the PSCA and negligence claims; and (3) the calculations of damages on a plaintiff-by-plaintiff basis would predominate the litigation.

Choice of Law
The court dismissed Target’s argument that Minnesota law – including the PCSA – should not apply to the claims due to a lack of a significant nexus to Minnesota. Even assuming that conflicts existed between Minnesota and other states’ laws, the court determined that it could apply Minnesota law to the plaintiffs’ claims due to the “legion” contacts with Minnesota: “Target is headquartered in Minnesota; its computer servers are located in Minnesota; [and] the decisions regarding what steps to take or not take to thwart malware were made in a large part in Minnesota.”

Class-wide Proof
The court distinguished the class-wide proof required to establish injury and causation in a data breach for banks or credit unions and those required for consumers. Although future injury has been problematic in consumer cases, the financial institution plaintiffs reissued “nearly every card” that was subject to the breach alert. The court emphasized that this was not a “future harm.”

Judge Magnuson found such costs were not merely a “business decision” as opposed to an injury proximately caused by the breach, even when there is no contract, law or regulation requiring card reissue. Indeed, the court dismissed Target’s suggestion that financial institutions do nothing in reaction to a data breach as “absurd.” The court concluded that whether or not the remedial steps banks took in the wake of the breach to protect their cardholders were reasonable could be decided on a class-wide basis.

Damages
The court acknowledged that there may be difficulties establishing class-wide proof of damages. Such issues generally do not preclude class certification as long as the individual issues do not outweigh the class-wide issues. The court also left open the possibility that after class-wide liability is determined, damages questions may be left open for later resolution. Noting that the case of In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D. 389 (D. Mass. 2007) was the only financial data-breach case to reach the class certification stage, the court also distinguished the TJX denial of class certification based on that case’s misrepresentation and consumer-fraud claims. “The reliance issue in TJX made proving class-wide liability impossible,” which the court found “very different” from the facts presented in the Target case. The court also rejected Target’s damages arguments under the Seventh Amendment. Additionally, the court found that reissuance and fraud damages could be calculable on a class-wide basis, based on an expert opinion proffered by plaintiffs.

Update: On December 2, 2015, Target agreed to a settlement of $39 million, most of which will be paid directly to class members.