Target data breach class actions withstand dismissal
March 2015 | EXPERT BRIEFING | LITIGATION & DISPUTE RESOLUTION
The highest profile data breach incident in recent years in the US was the data breach sustained by large retailer Target in December 2013, which resulted in the theft of credit and debit card information for approximately 110 million of Target’s customers. That event has spawned two sets of proposed class actions against Target, one on behalf of financial institutions and one on behalf of consumers. In separate opinions issued in December 2014, a federal judge in Minnesota allowed most of the claims asserted in the two cases to proceed into discovery.
The financial institutions class action
On 2 December 2014, the judge ruled that a group of banks and other financial institutions (FIs), could proceed with their proposed class action against Target. See In re Target Corp. Customer Data Security Breach Lit., __ F. Supp. 3d __, 2014 WL 6775314 (D. Minn. Dec. 2, 2014). The FIs had issued credit and debit cards to consumers whose financial data was stolen during Target’s data breach and they sought damages for the losses resulting from the breach.
The FIs’ suit alleged, in part, that negligent acts and omissions by Target resulted in the data breach that compromised consumers’ financial information. In moving to dismiss the allegations, Target argued that it had submitted all consumer charges to a credit and debit card processor (an ‘acquirer bank’), which in turn processed the transactions with the FIs that had issued credit and debit cards to Target’s customers (the ‘issuer banks’). Target argued that the issuer banks could not sue for negligence because Target had no direct relationship with the issuer banks and, therefore, owed no duty of care.
The court denied Target’s motion to dismiss, holding that the FIs’ complaint pleaded sufficient facts to allege that Target’s conduct “created a foreseeable risk of the harm that occurred” and that the FIs were “foreseeable victims”, thus giving rise to a duty of care under Minnesota law. Id., *3. The court acknowledged that “third-party hackers’ activities caused [the] harm”, but found that the complaint sufficiently alleged that Target’s conduct “played a key role in allowing the harm to occur”. Id. The court allowed the FIs’ claims of negligence and negligence per se, as well as violations of Minnesota’s Plastic Card Security Act, to proceed.
The consumer class action
Sixteen days later, on 18 December, in a 46-page opinion, the same judge ruled that the putative class of consumers could proceed with the majority of their claims against Target. See In re Target Corp. Data Sec. Breach Litigation, __ F. Supp. 3d __, 2014 WL 7192478 (D. Minn. Dec. 18, 2014). The consumers assert financial losses based on allegations that their credit and debit card information was stolen during the data breach.
The court first addressed the threshold issue of standing, a basis upon which many courts have dismissed proposed data breach class actions due to a lack of actual injury sufficient to confer standing. The In re Target court held, however, that the plaintiffs had sufficiently pleaded injuries that were “actual or imminent”, including “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees”, which, the court held, was “sufficient to plead standing”. Id., *2.
Turning to the substance of the claims pleaded in the complaint, the court analysed many states’ consumer protection laws and data breach statutes. For example, the consumer protection laws and data breach statutes in certain states prohibit private rights of action or do not permit their assertion in a class action suit. The plaintiffs withdrew some of their allegations as a result, and the court dismissed a few additional claims, but for the most part the court permitted the plaintiffs to proceed with claims unless the pleadings were insufficient under the clear language of applicable state laws.
The court also preserved most of the plaintiffs’ common law negligence claim, except with respect to five states that impose the economic loss rule, which bars a plaintiff from recovery of purely economic losses under a tort theory of negligence. On the other hand, the plaintiffs’ claim of bailment was dismissed with prejudice because, according to the court, the plaintiffs did not allege that Target wrongfully retained any information.
The court also held that the plaintiffs’ claim for breach of implied contract was sufficiently pleaded, and a determination of the terms of an alleged implied contract was left as a factual question for a jury to determine. The court, however, dismissed without prejudice the plaintiffs’ breach of contract claim for certain debit cardholders. The complaint alleged that in the cardholder agreement, Target claimed to “use security measures that comply with federal law”, and the court held that in order to sufficiently plead a breach of contract, the complaint would need to identify the federal laws with which Target allegedly failed to comply.
The plaintiffs’ final claim, for unjust enrichment, was pleaded in two theories. First, they argued that Target overcharged consumers by selling goods at a price that was presumed to include a premium for adequate data security. The court rejected this theory, observing that all consumers paid the same price regardless whether the payment met the required security, i.e., cash or credit. The court, however, did find merit in the plaintiffs’ second theory, which posited that consumers “would not have shopped” at Target had they been notified after Target knew or should have known of the breach. Id., *23.
The In re Target rulings should be considered, on the whole, victories for the plaintiffs in those cases (the FIs and the consumers). Furthermore, these opinions will provide fodder for courts to consider in deciding future motions to dismiss subsequent high-profile data breach class actions.
Barry Goheen is a partner at King & Spalding LLP. He can be contacted at +1 (404) 572 4618 or by email: firstname.lastname@example.org.
© Financier Worldwide
King & Spalding LLP