Retail data breaches are multi-victim crimes, with the retailer, consumers and affected third parties all having legitimate claims to “victimhood” – and each left squabbling as the hacker vanishes into the digital ether. Moreover, the most powerless victims – individual consumers – may be foreclosed from class litigation because retailers, banks and credit card companies typically race to ensure customers are quickly made whole. However, a recent ruling in In re: Target Corp. Customer Data Security Breach Litigation suggests that, for class-action litigators, the real action is in the scrum among the retailer and affected third parties, including credit card companies, banks and credit unions.
On September 15, 2015, the U.S. District Court for the District of Minnesota certified a class of several hundred banks and credit unions against Target Corp. The recently minted class stems from the data breach Target suffered in 2013 that may have impacted up to 40 million debit and credit cards. A statement released by the League of Southern Credit Unions and Affiliates noted that Judge Magnuson’s ruling is “almost unprecedented” and their attorney called it “the beginning of a sea change to make merchants responsible for their misconduct, particularly when the misconduct impacts the credit union community.”
In opposing class certification, Target focused on Rule 23’s related commonality and predominance requirements. Specifically, Target argued common issues did not predominate because (1) the banks’ claims would require analysis and application of 50 states’ choice-of-law rules and substantive negligence laws, and (2) damages were not susceptible to class adjudication under the Supreme Court’s Comcast decision. Judge Magnuson summarily rejected these arguments, finding that a 50-state choice-of-law analysis was unnecessary because Minnesota’s contacts with the action were “legion” and the banks’ expert had established it is “possible to prove classwide common injury and to reliably compute classwide damages” as required by Comcast. Finally, the court distinguished between the claims of individual consumers – which the court categorized as presenting a “possibility” of future harm – and the banks’ claims – which the court found flowed from the actual cost of reissuing millions of cards affected by the breach.
Pursuant to the unique interlocutory appeal provision in Rule 23(f), Target has 14 days from the certification order to petition the Eighth Circuit for permission to lodge an appeal. That deadline can be extended if Target files a motion for reconsideration.
The court’s certification undoubtedly complicates – or at least makes more expensive – Target’s ongoing efforts to settle claims and put the 2013 data breach behind it. For other merchants, the ruling should serve as a warning that the threat of class-action litigation flowing from a data breach is not confined to affected consumers – affected businesses may also be aligning against you. Moreover, though one data point is not a trend, this decision suggests that those businesses may have an easier time meeting Rule 23’s certification requirements than a traditional putative consumer class would.