In re Target Corp. Customer Data Security Breach Litigation, No. 14-md-02522 (D. Minn.).
On December 19, 2013, Target publicly announced it had experienced a data security breach via malware installed on its point-of-sale network. Forty million customer credit and debit card numbers, encrypted PINs, and CVV codes and 70 million customer names, mailing addresses, email addresses, and phone numbers were stolen between November 27 and December 15, 2013. The breach spawned dozens of putative class action suits. Because they involved common questions of fact, on April 2, 2014, the pending 33 cases and potential 71 tag-along cases that spanned 18 federal districts were consolidated in the District of Minnesota. The multidistrict litigation now includes a total of 111 suits.
The plaintiffs include both Target customers whose personal information was compromised by the breach and banks and credit unions that issued customers’ debit and credit cards. The most common claims are negligence, negligence per se, breach of contract, bailment, conversion, unlawful deceptive trade practices and unfair competition, unjust enrichment, unlawful retention of credit card information, breach of fiduciary duty, violations of consumer protection laws, fraudulent concealment, negligent performance of services, and negligent misrepresentation. The plaintiffs seek various types of relief, including mandatory payment of identity theft and credit monitoring services, imposed auditing requirements, injunctions to cease and desist improper retention of customer data, reimbursement of funds stolen and costs expended in issuing new cards, disgorgement of Target’s profits during the time of the breach, and forced adoption of certain security measures.
In addition to the class actions now comprising the multidistrict litigation, at least four shareholder suits have been filed against Target and its board of directors, alleging breach of fiduciary duty and waste of corporate assets.