A new federal court decision may make it easier for consumers to bring data breach claims against businesses.
During the 2013 holiday season, hackers stole credit and debit card information for approximately 110 million customers of Target’s retail stores. Consumer plaintiffs brought suits in multiple jurisdictions against Target alleging damages from having been the victims of having “incurred unauthorized charges; [lost] access to their accounts; and/or to pay sums such as late fees, card-replacement fees, and credit monitoring costs because the hackers misused their personal financial information.” All federal lawsuits related to the Target data breach were consolidated into one class action lawsuit pending before United States District Court Judge Paul A. Magnuson in St. Paul, Minnesota. The Plaintiffs in that consolidated lawsuit are a putative class of consumers who “used their credit or debit cards at Target stores during the period of the security breach, and whose personal financial information was compromised as a result of the breach.”
In response to the lawsuit, Target moved to dismiss all Plaintiffs’ claims. Chiefly, Target alleged that Plaintiffs’ lack standing because they have not suffered any actual or imminent injury in that they do not allege “that their expenses were unreimbursed or say whether they or their bank closed their accounts.” However, the court found that Plaintiffs have standing because they alleged injuries “fairly traceable” to Target’s data breach in that they alleged “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and lay payment charges or new card fees.”
In addition to finding that Plaintiffs have standing, the court found that Plaintiffs can proceed against Target on claims that (i) Target breached a number of states’ consumer protection laws and data breach notice statutes; (ii) Target was negligent under the laws of certain states; (iii) Target breached an implied contract to safeguard Plaintiffs’ personal information; and (iv) Plaintiffs may state a claim for unjust enrichment on the theory that had Target notified its customers about the data breach in a timely manner, Plaintiffs would not have shopped at Target and Target would not have received Plaintiffs’ money.
This latest decision related to the Target data breach lowers the barriers to consumers bringing data breach lawsuits against businesses and increases the need for businesses to more seriously consider pre-emptive measures to manage these potential risks.