In the aftermath of major data breaches at deep-pocketed retailers and other businesses, there is typically no shortage of litigants who move quickly to seek compensation from the business at which the breach occurred. But whether the would-be plaintiffs’ claims get very far in court often depends on whether those plaintiffs are individual consumers, or financial institutions. Consumers typically do not fare well, because courts regularly conclude that their losses resulting from fraud are covered in full by banks. By contrast, financial institution generally succeed in defeating motions to dismiss on data breach-related claims, because they can point to the costs of steps that they have to take to cover cardholders’ losses, and to re-issue customer credit or debit cards.
Now Home Depot is trying to ensure that banks, like individual consumers, have little recourse in court against businesses that suffer data breaches. On July 5, the company asked a federal judge in the Northern District of Georgia to certify for interlocutory appeal his May order preserving the great majority of claims brought by a proposed class of financial institutions and credit unions against Home Depot in multidistrict litigation arising from its 2014 data breach. Home Depot argued that the ruling raised at least six novel questions of law that would benefit from immediate resolution, including whether financial institutions have Article III standing to assert claims arising out of a data breach, whether retailers owe banks a duty to protect against third-party criminal hacks, and whether financial institutions can bring negligence claims based on an alleged violation of Section 5 of the Federal Trade Commission Act.
In his May ruling, the judge concluded that the financial institutions and credit unions had pled actual injuries — including the loss of money through card reimbursement, fraudulent charges and transaction fees — that gave them standing. But Home Depot argues in its motion for certification that the banks had simply lumped together a list of their injuries in six paragraphs of a 283-paragraph complaint, with no institution alleging its own specific injuries.
Noting that no other court has yet ruled on the standing of financial institutions to assert claims arising out of a data breach, Home Depot urged the district court to allow the Eleventh Circuit Court of Appeals to consider immediately whether named plaintiffs in class actions have Constitutional standing to assert claims without specifying their individual injuries, and whether claims of “prophylactic measures” that the banks assert they took to guard against possible similar data breaches at other companies in the future can establish the requisite standing.
In the second paragraph of its motion, Home Depot asserts that “financial institution claims are becoming more and more prevalent in the wake of a data breach.” The retailer suggested that this trend was “undoubtedly due to the difficulties consumer data breach plaintiffs have establishing standing” under the U.S. Supreme Court’s 2013 ruling in Clapper v. Amnesty International, which held that plaintiffs need to prove they have suffered actual harm or a definite impending injury to satisfy standing requirements.
Retailers and restaurants such as Target, Kmart and Wendy’s have all faced putative class actions seeking to recoup costs borne by financial institutions in the wake of headline-grabbing data breaches. Both Target and Kmart elected to settle the actions, while the action against Wendy’s is still in its very early stages, having only been filed at the end of April.
The parties in the Target case reached their $39 million settlement, which was announced in December, only after a Minnesota federal court refused to toss most of the litigation and the certified a class of all financial institutions that issued cards affected by the hack.
Aside from the standing issue, the motion raises other intriguing questions, two of which are a negligence per se claim can be based on a violation of Section 5 of the FTC Act, and whether non-consumers (such as banks) fall within the category of entities protected by Section 5.
Section 5 of the FTC Act empowers the Federal Trade Commission to bring claims for unfair or deceptive trade practices against a wide range of businesses, although private parties can’t wield that authority. In its motion, Home Depot is asking the Eleventh Circuit to determine whether a violation of the unfairness prong of the FTC Act can give rise to a negligence per se claim, as the court has thus far permitted in this case.
Because the district court has only ruled on the motion to dismiss and hasn’t issued a final determination in the case, Home Depot must first get permission from the lower court to appeal the ruling to the Eleventh Circuit, and then the appellate court must agree to weigh in.
While we await decisions on one or, if necessary, both of those issues, two points worth bearing in mind are (1) financial institutions’ recent high level of success in seeking compensation from companies suffering data breaches that affect the financial institution’s customer or employee base in some way, and (2) the potential for companies at which data breaches occur to further limit the universe of possible plaintiffs capable of suing them in the wake of such breaches.