On December 2, 2014, the U.S. District Court for the District of Minnesota granted in part and denied in part a motion to dismiss a class action lawsuit brought on behalf of several financial institutions for Target’s December 2013 data breach. The Court held that while Plaintiffs failed to adequately plead negligent misrepresentation regarding data security by Target, the financial institutions did adequately meet their burden in pleading other negligence claims. While the decision In re: Target Corp. Customer Data Security Breach Litigation (MDL No. 14-2522, Docket No. 163) has yet to determine whether Target is liable to any financial institutions, the Court’s ruling on the motion to dismiss potentially expands the exposure for cybersecurity breaches.
The lawsuit alleged that Target failed to protect customers with adequate cybersecurity safeguards during the 2013 holiday shopping season. Two categories of class actions were brought against Target—one on behalf of customers, and another on behalf of financial institutions. Although consumer class actions could be expected, the action brought on behalf of financial institutions was an expansion of the usual cybersecurity plaintiffs. The financial institutions claimed “injury” as a result of incurring costs associated with notifying customers of the data breach, monitoring accounts to prevent fraud, and suspending or canceling account numbers during the “busiest shopping season of the year.”
Minnesota law requires four elements be met to adequately plead negligence: duty, breach, causation and injury. The hurdle for the financial institution plaintiffs was demonstrating that Target owed them a duty. Target argued that no duty was owed because financial institutions were third parties, and that there was no “special relationship” between Target and any of the financial institutions under Minnesota law. The financial institutions argued that because the harm caused by Target’s failure to adequately maintain data security measures created a foreseeable risk, and financial institutions were foreseeable victims of the harm caused, the case was one of “straightforward negligence.”
The Court held that under Minnesota law, the complaint sufficiently alleged that financial institutions were owed a “duty.” Even though hackers harmed the customers and financial institutions, the Court ruled that Plaintiffs had met their burden by claiming that Target allegedly disabled security features which left customer data vulnerable. The Court sided with Plaintiffs and agreed that Target was in the best possible position to safeguard customer data, and that Target’s conduct plausibly could have “caused and exacerbated” the data breach. The Court also determined that the case served a public policy function to punish companies for failure to maintain appropriate cybersecurity measures. The Court looked to Minnesota legislative actions to support its decision (namely the Minnesota Plastic Card Security Act, Minn. Stat. § 325E.64, subd. 2, 3), and decided this further justified keeping the class action alive.
The Court dismissed the negligent misrepresentation claim against Target without prejudice because Plaintiffs failed to adequately plead reliance. The Plaintiffs alleged that Target was under an obligation to disclose a weakness in its security system but failed to do so—an omission—and that in the context of omission, injury without reliance could sustain the cause of action. The Court held that the Plaintiffs’ position was erroneous, and that courts had not extended this type of presumption of reliance outside of the securities fraud realm.