On September 15, 2015, a federal district court in Minnesota granted a motion for class certification of hundreds of credit unions and banks in an action against Target Corporation for damages stemming from the breach of Target’s computer network in late 2013. According to the court, the 2013 breach involved hackers gaining “virtually unfettered access to Target’s computer system, ultimately extracting the financial information of more than 40 million consumers.” In his order, United States District Court Judge Paul A. Magnuson rejected Target’s arguments against the certification request and certified the class as “[a]ll entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.”
Previously, the Target data breach litigation had been separated into two “tracks”—one for financial institutions and another for consumers. The September 15 class certification order related to plaintiffs in the financial institution track; the action in the consumer track has settled (pending court approval). The plaintiffs in the financial institutions “track” were issuers of payment cards (e.g., credit and debit cards) used by consumers at Target stores during the 2013 data breach. In its order, the court summarized the three claims against Target raised by the plaintiffs in their complaint: (i) that Target “was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data,” (ii) that the company violated the Plastic Card Security Act (“PCSA”) in Minnesota, and (iii) that “this violation constitutes negligence per se.” The plaintiffs’ claimed injuries include “replacing cards for their customers, reimbursing fraud losses, and taking various other remedial steps in response to the Target data breach.”
In arriving at its holding, the court analyzed the class action certification requirements of Federal Rule of Civil Procedure 23. The court noted that Target focused its argument against certification on the requirements of commonality and predominance, stating that “Rule 23(a) requires that there are common questions of law or fact among class members’ claims, and Rule 23(b)(3) requires that those common questions predominate over individual issues.” The court pointed out that “[a]ccording to Target, any common questions among Plaintiffs do not predominate, making class certification inappropriate.”
The court noted that Target presented two “overarching challenges” to the certification: first, that “no classwide proof supports Plaintiffs’ negligence claims or Plaintiffs’ PCSA claims” and second, that “damages must be calculated on a bank-by-bank basis, meaning that individual damages issues predominate over any potential class-wide issues.” With respect to the injury element of the negligence claims, Target argued that the “injuries here are ‘risk of future harm’ injuries that are not cognizable or susceptible of classwide proof.” The court rejected this, noting that affected banks reissued almost every card that had an alert following the Target breach and stating that “[t]his is not a ‘future harm.’ This is a cost borne at the time of the breach and as a result of the breach.”
Regarding the PCSA claim, Target contended (citing the language of the statute) that there could be no “classwide proof as to which cards were ‘affected by’ the breach, whether each bank’s actions were ‘reasonable’ and were ‘undertaken . . . as a result of the breach,’ and whether any such actions were taken ‘to protect the information of  cardholders’ or ‘to continue to provide services to cardholders.’” The court rejected Target’s challenge here as well, noting that “[w]hether particular actions—reissuance, blocking accounts, reimbursing fraudulent charges, paying for customers’ fraud monitoring—are reasonable actions in the face of a data breach can be determined class-wide and need not be examined with respect to each financial institution individually” and holding that the plaintiffs’ claim under the PCSA was “susceptible of classwide proof.”
With respect to damages, Target raised several arguments against class treatment, among them that “the reissuance and fraud losses must be made on a bank-by-bank, loss-by-loss basis, making damages too individual for classwide determination.” However, the court determined that “[a]lthough Plaintiffs’ damages may ultimately require some individualized proof, at this stage Plaintiffs have established … that it is possible to prove classwide common injury and to reliably compute classwide damages resulting from reissuance costs and fraud losses.”
The court’s order indicates that for financial institutions, a class action lawsuit may be an effective vehicle for pursuing litigation against a party whose data breach injured a number of similarly affected financial firms, particularly in the case of a large-scale breach. For retailers that store confidential information, the order underscores the importance of rigid data security controls, as a retailer that experiences a data breach may be liable both to consumers whose data was compromised and other parties adversely impacted.
The court’s order may be found here.