Consumers that filed a class action against Target Corporation following the company’s 2013 payment card breach have survived a motion to dismiss. The ruling – announced just before the holidays – comes on the heels of the court’s decision allowing payment card issuing banks to proceed with their claims against Target and is a significant development in an issue frequently presented to federal courts regarding when and how data breach plaintiffs can plausibly plead facts that establish injury-in-fact giving rise to standing.
The court’s opinion covers a variety of complex issues, many of which are still in flux in the data breach context, including standing, state consumer protection law issues of 49 states, and interpretations of data breach notification laws for 38 states. This alert focuses less on the specific rulings of the court – some of which were decided on a state-by-state basis – and more on the highlights that will overshadow similar cases in the months and years to come.
The plaintiffs’ claims arise from the well-known payment card breach Target suffered in late 2013. In their complaint, the plaintiffs’ brought seven types of claims:
- Violation of consumer protection laws of 49 states (excluding Alaska) and the District of Columbia;
- Violation of data breach notification laws of 38 states;
- Negligent failure to safeguard consumer data and timely disclose the breach;
- Breach of implied contract with respect to consumers who were not Target REDcard cardholders;
- Breach of contract with respect to consumers who were Target REDcard cardholders;
- Bailment; and
- Unjust enrichment.
Target moved to dismiss all of these claims on multiple grounds, but was largely unsuccessful.
The court found that the plaintiffs had sufficiently alleged injury or damage.
At nearly every turn, Target argued that the plaintiffs could not survive the dismissal stage because they had not sufficiently alleged injury or damage. Target argued globally that the plaintiffs did not have Article III standing to bring their claims because they could not allege injury in fact and argued more specifically that the plaintiffs’ inability to allege injury or damages undermined their consumer protection claims, their claims under state data breach notification laws, their negligence claims, and their claims for breach of contract (both implied and explicit).
The court rebuffed each of these arguments. The court found the plaintiffs had pled facts satisfying Article III standing requirements because they alleged “unlawful payment card charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.” The court acknowledged that “[s]hould discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue,” but the court nonetheless allowed the claims to proceed beyond the motion to dismiss. The court found that these allegations were also sufficient to satisfy any injury or damage requirements of plaintiffs’ specific causes of action.
The court trimmed the plaintiffs’ state-law statutory claims, but most survived.
The plaintiffs claimed that Target violated the consumer protection laws of 49 states and the District of Columbia. They claimed that Target violated these laws by:
- Failing to maintain adequate data security practices;
- Failing to disclose that it did not have adequate safeguards to protect consumer data;
- Failing to provide timely and accurate notice of the breach; and
- Continuing to accept credit and debit card payments after it knew or should have known of the breach and before it successfully restored system security.
The plaintiffs also claimed that Target violated the data breach notification laws of 38 jurisdictions because it failed to provide timely and accurate notice of the breach.
Target was largely unsuccessful in moving for dismissal of these claims, but the court was persuaded by two arguments raised by Target. Specifically, the court dismissed the plaintiffs’ consumer protection claims under the Delaware Uniform Deceptive Trade Practices Act, the Oklahoma Deceptive Trade Practices Act, and the Wisconsin Deceptive Trade Practices Act because those statutes either (1) do not provide for a private cause of action or (2) provide for a private cause of action only in circumstances not applicable to this case.1Likewise, the court dismissed the plaintiffs’ claims under data breach notification laws in 9 states because they did not provide for a private right of action.2
The court was also persuaded that the plaintiffs could not proceed with their consumer protection claims based on state laws that precluded class actions. After a lengthy analysis, the court determined that clauses in those states’ consumer protection statutes that prohibit class actions served to preclude such actions not only in state court, but also in federal court, despite the availability of class actions under Federal Rule of Civil Procedure 23. Based on this ruling, the court dismissed the plaintiffs’ consumer protection claims in nine additional states.3
The economic loss doctrine does not preclude the plaintiffs’ negligence claims in most states.
The plaintiffs brought negligence claims against Target alleging that the company had a duty (1) to exercise reasonable care in obtaining, retaining, securing, safeguarding, deleting and protecting their data from being compromised, lost, stolen, accessed or misused by an unauthorized person, and (2) to timely and accurately disclose the data breach. Target’s main challenge to the plaintiff’s negligence claims was based on the economic loss rule, which precludes recovery for “purely economic losses” under a tort theory of negligence.
Target argued the court should dismiss the plaintiffs’ negligence claims in 11 states as barred by that doctrine. The plaintiffs argued in response that each of the 11 states cited by Target recognized an independent-duty exception, meaning the economic loss rule does not apply when the duty alleged is an independent duty that does not arise from commercial expectations. The plaintiffs further argued that some of the states identified by Target have recognized an exception to the economic loss rule when a “special relationship” exists between the parties. According to the plaintiffs, their negligence claims should survive the motion to dismiss under one or both of these theories.
Following a state-by-state analysis, the court ruled that the plaintiffs’ negligence claims were barred by the economic loss rule in Alaska, California, Illinois, Iowa, and Massachusetts. Courts in California and Massachusetts have analyzed the economic loss rule in the context of data breach litigation and dismissed negligence claims brought by plaintiffs in those cases.4 Although there were not cases directly on point in Alaska, Illinois, and Iowa, the court analyzed the economic loss rule and relevant exceptions in those states and concluded the plaintiffs’ negligence claims were barred under those states’ laws.
The court dismissed the plaintiff’s bailment claims with prejudice.
Much like plaintiffs in other high-profile data breach lawsuits, the consumer here brought a bailment claim against Target. A bailment is “the delivery of property for some purpose upon a contract, express or implied, that after the purpose has been fulfilled, the property shall be redelivered to the bailor or otherwise dealt with according to his directions.” The court held that, even assuming that intangible property such as financial information constitutes “property” for a bailment claim, the plaintiffs “have not – and cannot – allege that they and Target agreed that Target would return the property to them.” Moreover, they “allege that third parties stole the information, not that Target wrongfully retained that information.” The court dismissed the plaintiffs’ bailment claims with prejudice.
The court allowed the plaintiffs’ unjust enrichment claims to proceed under a “would not have shopped” theory.
The plaintiffs advanced two theories in support of their unjust enrichment claims. The court dismissed their claim that they had been overcharged for the products they purchased at Target, products the price of which allegedly included a premium for adequate data security. The court found it dispositive that payment card customers paid no more for Target’s products than cash customers.
However, the court was persuaded by the plaintiffs’ “would not have shopped” theory of unjust enrichment. Under this theory, the plaintiffs alleged that had Target timely and adequately disclosed the breach, they would not have shopped at Target. Thus, Target knowingly received or obtained the proceeds of the plaintiffs’ purchases – after Target knew or should have known of the breach and before it notified the plaintiffs – which it “in equity and good conscience” should not have received.5
This case is a roadmap.
In the context of American law, data breach litigation is certainly in its youth. And in seeking damages, plaintiffs are bringing claims for violations of data breach notification laws that are barely a decade old alongside claims based on centuries-old legal concepts such as bailment and breach of contract. The consumer class action against Target is an excellent case study in the types of claims that can be brought in data breach class actions, and in how the courts may analyze and rule on those claims.
The case also highlights the ongoing debate in federal courts regarding when and how data breach plaintiffs can plausibly plead facts that establish injury-in-fact giving rise to standing and permitting plaintiffs in data breach class actions to proceed beyond the pleadings stage. The court found that the plaintiffs successfully articulated injury in fact and overcame the hurdle of Article III standing, and although the court hinted on multiple occasions that discovery may be the plaintiffs’ undoing, the majority of their claims – for now – remain intact.