Although Target has tentatively settled consumer data breach class action claims, the retailer remains in the crosshairs of the plaintiffs’ class action bar. On September 15, a Minnesota federal district court certified a class of: “[a]ll entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.” Rejecting the Minnesota-based retailer’s argument that variations in state law precluded certification, the Court held that Minnesota law applied to the claims of all class members. The Court also found that plaintiffs’ claims for negligence, violation of Minnesota’s Plastic Card Security Act, and negligence per se were susceptible to common proof, holding that: “[w]hether particular actions – reissuance [of credit and debit cards], blocking accounts, reimbursing fraudulent charges, paying for customers’ fraud monitoring – are reasonable actions in the face of a data breach can be determined class-wide and need not be examined with respect to each financial institution individually.”   Questions of individualized damages calculations also failed to defeat certification; the court noted that: “[s]hould classwide damages ultimately prove unworkable, a damages class can be decertified and damages questions stayed for determination after the liability phase concludes.”

To date, the banking claims have already proven a greater expense to the retailer than the consumer class claims. Whereas Target’s consumer class settlement creates a $10 million claims fund, the retailer has already agreed to pay $67 million to settle claims by banks that issued Visa cards compromised in the breach. In addition to the certified banking class claims, Target is facing pending shareholder derivative litigation in Minnesota federal district court.

In re Target Corp. Customer Data Security Breach Litig.,  MDL No. 4-2522 (D. Minn. Sept. 15, 2015).