The latest salvo in the Target data breach litigation is a class action brought by credit card issuing banks advancing a creative and somewhat misleading construction of the Minnesota’s Plastic Card Security Act. The banks allege that there was a violation of the statute’s prohibition on retaining PIN, security code and other magnetic swipe data more than 48 hours after a transaction. The problem with that theory is that Target’s system does not retain card holder data, nor was the theft of data directed toward stored data. Instead, the hackers loaded malware onto Target’s point of sale (POS) system which allowed the criminals to capture card holder data as cards were swiped. The hackers then tucked the card data away in a highjacked file location elsewhere on the Target system, before porting that data to locations in Russia and Miami. In other words, Target wasn’t storing the unauthorized data; the criminals were, without Target’s knowledge.
These facts are well known as a result of reporting and disclosures concerning the investigation of the breach. Undeterred, the banks’ attempt circumvent these inconvenient truths through pleading legerdemain. Their complaint alleges Target “retained magnetic stripe information and data from millions of credit and debit cards issued by Plaintiffs and members of the Class, or allowed such information to be stored on Target’s servers” and “negligently utilized a computer system that retained, stored, and/or disclosed credit card magnetic stripe information (or allowed such information to be retained, stored, and/or disclosed).” (Emphasis added). As the boldfaced text indicates, plaintiffs are hanging their case on the fact that the stolen data was accumulated on the Target system, and not on any actions by Target to store card holder data in violation of the law. Plaintiffs essentially advance a strict liability theory in which businesses that implement systems that comply with the Plastic Card Security Act can nonetheless be held liable for violation of the statute if criminals, use that business’s computer systems to store stolen data without its knowledge or consent.
Playing fast and loose with the Plastic Card Security Act is only one of the potential problems with the banks’ case. They also seek certification of a national class to pursue claims under the Minnesota unfair trade practices statute, despite the fact that courts are typically reluctant to apply a single state’s laws to the claims of class plaintiffs located in multiple states. An even bigger obstacle to class certification is the precedent set in the TJX data breach class action. There, the court issued an order declining to certify a class of banks which, like the banks here, asserted claims under the Massachusetts unfair trade practices statute for losses arising from the data breach. The court found that individualized issues of fact and law predominated as to (i) reliance on alleged misrepresentations as to security of the TJX system; and (ii) whether damages claimed by the banks arose from the data breach or from other fraudulent causes that are endemic to the credit and debit card industry. Thus, even though the ability to establish actual losses distinguishes the card-issuing banks from the typical privacy class action plaintiff, they will still face significant challenges in obtaining certification of any claims that might survive a motion to dismiss.