On December 18, 2014, the U.S. District Court for the District of Minnesota ruled, in a 46-page opinion, that a putative class of consumers could proceed with a majority of their claims against Target arising from the data breach Target sustained over the holiday season in 2013. The plaintiffs allege financial losses after their credit- and debit-card information was stolen during Target’s data breach. The Court’s Order demonstrates the complexities of class action suits where the causes of action are subject to the distinct laws of all 50 states.
The Court first addressed the threshold issue of standing, a basis upon which many courts have dismissed proposed data breach class actions due to a lack of actual injury. In its Order, however, the Court held that the plaintiffs had sufficiently pleaded injuries that were “actual or imminent,” including “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees,” which, the Court held, was “sufficient to plead standing.”
Turning to the substance of the claims pleaded in the complaint, the Court analyzed many states’ consumer protection laws and data breach statutes. For example, the consumer protection laws and data breach statutes in certain states prohibit private rights of action or do not permit their assertion in a class-action suit. The plaintiffs withdrew some of their allegations as a result, and the Court dismissed a few additional claims, but for the most part the Court permitted the plaintiffs to proceed with claims unless the pleadings were insufficient under the clear language of applicable state laws.
The Court also preserved most of the plaintiffs’ common-law negligence claim, except with respect to five states (Alaska, California, Illinois, Iowa, and Massachusetts) that impose the economic loss rule, which bars a plaintiff from recovery of purely economic losses under a tort theory of negligence.
The Court also held that the plaintiffs’ claim for breach of implied contract was sufficiently pled, and a determination of the terms of an alleged implied contract was left as a factual question for a jury to determine. The Court, however, dismissed without prejudice the plaintiffs’ breach-of-contract claim for REDcard debit cardholders. The complaint alleged that in the cardholder agreement, Target claimed to “use security measures that comply with federal law,” and the Court held that in order to sufficiently plead a breach of contract, the complaint would need to identify the federal law(s) with which Target allegedly failed to comply with.
The plaintiffs’ claim of bailment (i.e., delivery of property that must be returned after the purpose has been fulfilled) was dismissed with prejudice because, according to the Court, the plaintiffs did not allege that Target wrongfully retained any information.
The plaintiffs’ final claim, for unjust enrichment, was pled with two theories. First, they argued that Target “overcharged” consumers by selling goods at a price that was presumed to include a premium for adequate data security. The Court rejected this theory, noting that all consumers paid the same price regardless of whether the payment method required security (i.e., cash or credit). The Court, however, did find plausible merit in the plaintiffs’ second theory, which posited that consumers “would not have shopped” at Target had they been notified after Target knew or should have known of the breach.
For a copy of the District Court’s Order, please click here.