On March 19, 2015, United States District Judge Paul Magnuson of the District of Minnesota gave preliminary approval to a proposed settlement in the multidistrict consumer litigation brought against Target Corporation in the wake of its 2013 data breach that exposed the credit card and personal information of up to 110 million customers. If given final approval, the settlement will resolve one of the largest ever consumer class actions stemming from a breach of paymentcard security, and therefore could provide a roadmap for what future large-scale data breach settlements may look like.

ESTABLISHMENT OF A FUND TO PAY CLASS MEMBERS

Target has agreed to pay $10 million into an interest-bearing escrow account. Consumers who used credit or debit cards at Target stores between November 27, 2013 and December 18, 2013 will be eligible to receive up to $10,000 each by submitting proof of costs associated with identity theft, unauthorized charges and higher interest rates that resulted from unauthorized activity on their credit accounts. Class members may also submit claims for time spent addressing these issues, although recovery is limited to $10 an hour, with a cap of two hours. Although “lost time” is often proffered by plaintiffs as a basis for alleging damages stemming from a breach, courts generally have rejected this theory of damages. See, e.g., In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F. Supp. 2d 198, 201 (D. Me. 2009) (certifying questions to the Maine Supreme Judicial Court as answered in In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492, 496-98 (Me. 2010)). The fund will prioritize payments to consumers who can document their losses, while other class members will receive a share of any remaining funds. The Court will distribute any remaining funds, though the details of those disbursements are left undefined by the settlement.

Given the magnitude of the breach, the $10 million figure is likely lower than Target would have faced with a ruling on the merits, which may be indicative of the difficulties consumers face in proving cognizable damages in data breach cases. In fact, Judge Magnuson’s opinion denying Target’s motion to dismiss cautioned that the plaintiffs might have trouble establishing damages at later stages in the litigation. See In re Target Corporation Customer Data Security Breach Litigation, District of Minnesota, 14-md-02522 (dkt. no. 281.)

NON-MONETARY MEASURES TO BOLSTER SECURITY

The settlement also requires Target to take a series of non-monetary steps designed to better safeguard customer data, including:

  • Hiring a chief information security officer to coordinate and take responsibility for its information security program entrusted with the protection of consumers’ personal information;
  • Maintaining a written information security program that identifies internal and external risks to the security of consumers’ personal information and mandates periodic review of the sufficiency of safeguards to control such risks; and
  • Implementing a program to educate and train relevant employees about the security of consumers’ personal information.

These unique terms highlight the obligations increasingly imposed on organizations to maintain adequate data security policies to safeguard consumer data.

* * *

A final approval hearing on the proposed settlement has been scheduled for November 10, 2015.

The settlement does not resolve a pending class-action lawsuit by financial institutions against Target that seeks compensation for breach-related expenses such as reissuing affected payment cards and covering the cost of fraudulent charges. (Dkt. no. 163). Significantly, in December 2014, Judge Magnuson denied Target’s motion to dismiss, holding that the financial institutions adequately had pled the existence of a “special relationship” between Target and the financial institutions such that Target had a duty to adequately protect customer credit and debit card data. The Court also refused to dismiss the banks’ negligence claims against Target for its alleged failure to provide a sufficient level of security that could have prevented the breaches. (Dkt. no. 261).

Target also continues to deal with a number of state and federal investigations into the breach.

The Target consumer class-action settlement is a significant development for breach-related litigation, but the legal fallout from Target’s data breach is not yet over, and we can expect that courts and regulators alike may increasingly seek to hold companies liable when they suffer data breaches if the court concludes that the company failed to take adequate measures to safeguard sensitive customer data.