In a short but very sweet ruling for the financial institutions suing Target to recover costs associated with mitigating the gigantic data breach suffered by Target in late 2013, Judge Magnuson certified the financial institutions class on Tuesday September 15.

The litigation of which we have previously written on a couple of occasions (see At Risk: Community Banks and the Recovery of Losses Due to Merchant Data Breach and Opening the Rule 23 Floodgates: Did Plaintiffs just hit the Data Breach Bulls-Eye?) stems from a data breach that impacted more than 100 million customers and cost the financial institutions over 30 million in losses primarily due to the reissuance of some 25,000 debit and credit cards.

In a short but very sweet ruling for the financial institutions suing Target to recover costs associated with mitigating the gigantic data breach suffered by Target in late 2013, Judge Magnuson certified the financial institutions class on Tuesday September 15.

The litigation of which we have previously written on a couple of occasions (see At Risk: Community Banks and the Recovery of Losses Due to Merchant Data Breach and Opening the Rule 23 Floodgates: Did Plaintiffs just hit the Data Breach Bulls-Eye?) stems from a data breach that impacted more than 100 million customers and cost the financial institutions over 30 million in losses primarily due to the reissuance of some 25,000 debit and credit cards.

Relying on a line of cases growing out of  the Supreme Court’s in Clapper v. Amnesty International133 S. Ct. 1138, 185 L. Ed. 2d 264, (2013),Target argued  in part that there was no requirement for the financial institutions to reissue cards in the absence of fraudulent charges and thus the institutions suffered no recoverable damage or injury. As Judge Magnuson put it: “Target contends that Plaintiffs’ injuries here are ‘risk of future harm’ injuries that are not cognizable or susceptible of class wide proof…Target argues that because Plaintiffs were not required by contract, law, or regulation to reissue the so-called ‘alerted on’ cards, reissuance was a business decision and not an injury proximately caused by the breach.”

Judge Magnuson called that claim “absurd” and adopted reasoning growing out of a line of cases in which it has been held that a cognizable injury occurs when steps are taken to mitigate future harm in the data breach context. The most and perhaps well known such decision is Remijas v. Neiman Marcus Groups LLC, 2015 WL 4394814 (7th Cir. July 20, 2015). We recently comprehensively discussed this issue in our post Data Breach Litigation: The Sky is Falling or a Failure of Proof?

In language that undoubtedly will bolster future claims of financial institutions seeking to recover these costs, the Target Court stated:

What Target suggests is that, because there was no requirement to act, financial institutions should have done nothing in the face of dire alerts regarding the data breach issued by the card-issuing companies and by Target itself and the known potential consequences for the institutions' customers…The absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards, both debit and credit, in the weeks after the breach. Whether a specific action was legally mandated is not required to establish injury or causation…[T]hat every financial institution whose customers’ cards were stolen in the breach suffered an injury in fact is readily apparent.

Similar arguments and issues are presented in the Home Depot data breach case pending in federal court in Georgia.  See In re: The Home Depot, Inc., Data Security Breach Litigation, MDL No. 14-02583-TWT.

The ability of financial institutions to recover for these kinds of losses has ignited a significant debate. Traditional legal principals would suggest that the taking of steps to preclude harm from occurring does not necessarily supply the standing to pursue legal standing. On the other hand, the Remijas and now Target decisions seem to suggest that a data breach presents a different type of threat that is perhaps more imminent and which justifies prompt action. Put another way, these cases seem to recognize the idea that the theft of data, in and of itself, may constitute an imminent threat of harm that support recovery for the costs incurred in taking those steps.

For financial institutions who are facing more and more costs as result of data theft, the ability to recover against parties that fail to take steps to prevent the harm, together with the coming liability shift as credit card companies, issuing banks and credit card companies adopt chip and sign technology, may be a Godsend.