Big cases often result in significant and unprecedented results. That certainly seems the case with two recent decisions in the Target Data Breach Litigation in Federal Court in Minnesota. When these decisions are analyzed with other Federal Court decisions which have not followed the SCOTUS precedents found in Dukes and Comcast, 2014 seems to set an ominous tone for future data breach and privacy class actions. What it all means remains to be seen, but certainly the recent decisions to deny Target’s motions to dismiss are troubling.
As most everyone knows, this litigation stems out of the theft of credit and debit card information of over 110 customers of Target in December 2013. Numerous lawsuits were filed and the litigation was assigned to the Multi District Litigation Panel, and transferred to Minnesota before Judge Paul Magnuson.
Traditionally, data breach related claims have not fared well. Courts have generally dismissed such claims finding either a lack of duty, the presence of a superseding intervening cause, the barring effect of the economic loss rule and a lack of standing.
In, Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138, 185 L. Ed. 2d 264, (2013), for example,the Supreme Court held that fear of identity theft or even the taking of steps to protect ones data does not provide a sufficient injury to provide standing to sue:
They [plaintiffs] claim that they suffer ongoing injuries that are fairly traceable to § 1881a because the risk of § 1881a surveillance requires them to take costly and burdensome measures to protect the confidentiality [**270] of their communications. But respondents cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending. Because they do not face a threat of certainly impending interception under § 1881a, their costs are simply the product of their fear of surveillance, which is insufficient to create standing. See Laird v.Tatum, 408 U. S. 1, 10-15. Accordingly, any ongoing injuries that respondents are suffering are not fairly traceable to § 1881a. Pp. 16-20.
For some time, we at Class Counsel have been concerned that the judicial treatment of data breach claims could change over time as Courts become more concerned and outraged over such breaches. The Target litigation seems to have presented just that opportunity.
There are two types putative class actions presented in the Target litigation: one brought by the card issuing financial institutions, and one by consumers of Target. Late last year Judge Magnuson denied Motions to Dismiss filed by Target with respect to both putative classes.
The financial institution putative class consists of banks that had actually issued credit or debit cards to consumers whose information may have been stolen. Upon purchase, merchants such as Target forward transaction information to something called an “acquirer bank.” Acquirer banks contract with merchants, like Target, to process the transaction. Once the acquirer bank receives the transaction information, it forwards it to the customer’s or card issuer bank for approval. If approved, the issuer bank will forward the funds to cover the transaction to the acquirer bank. The acquirer then pays the merchant. The issuer bank thus has no contractual relationship with the merchant.
The issuer banks in the Target litigation claimed substantial losses in covering fraudulent transactions, credit and debit card replacement costs, etc. The bank plaintiffs claimed that:
- Target acted negligently in failing to provide sufficient security to prevent the hackers from obtaining access to the data;
- Target’s failures to prevent the breach violated the Minnesota Plastic Security Card Act;
- the violation of the Act constituted negligence per se; and
- Target’s failure to inform the banks of its insufficient security constituted a negligent misrepresentation.
Target argued that it had no duty to the issuer banks with whom it had no contracts, that by definition, its conduct did not create a foreseeable risk of harm, that it had no “special relationship” with the banks to create any duty for the acts by someone else, and that the Minnesota Act did not apply to transaction taking place outside of Minnesota.
Taking a restrictive view of the Twombly line of cases (see Bell Atl. Corp v. Twombly, 550 U.S.544 (2007)), Judge Magnuson held that the plaintiffs’ general negligence claim was adequately pled: the claim that Target disabled a security feature created a foreseeable risk to the banks and other plaintiffs, and that Target failed to take actions once the attack began was sufficient to state a cause of action. Judge Magnuson also held that there was indeed a duty owed by Target to issuer banks, and that Target was “solely able and responsible” to safeguard the data. Perhaps even more ominously, the Court also commented that its finding would aid the Minnesota public policy of “punishing” companies that do not secure credit and data info.
The Court did reject the negligent misrepresentation claim because the plaintiffs did not plead any reliance on any Target omission. In doing so, it went out of its way to comment that it believed Target knew facts about its ability to repel hackers that plaintiffs could not have known.
Finally and significantly, the Court held that Minnesota’s Plastic Security Card Act applied to any data retention practices of any entity conducting business in Minnesota. Thus, even if a transaction did not occur in Minnesota, the Act, which is similar in many ways to laws in most states, still applies to Target’s actions.
The decision means that issuer banks now have tools to recover what they pay out and their accompanying costs for preventing fraudulent transactions. Merchants thus could now face staggering liability from financial institutions for costs that those institutions and/or payment processors have historically borne. And merchants could face statutory violations from a variety of states in which it conducts any data related practices.
Judge Magnuson took a similar liberal view of the claims of the putative consumer class. This putative class claimed that its members actually incurred unauthorized charges, lost access to their accounts and/or were forced to pay sums such as late fees and credit monitoring costs because the hackers gained access to their personal financial information. Generally, consumer claims like this have been dismissed for lack of standing because most of the plaintiffs had not yet suffered any costs or because their costs had been reimbursed.
While Judge Magnuson did dismiss some of the state law claims brought by this class, several of his more general rulings are troubling.
Judge Magnuson first took up the claim that the plaintiffs lack standing because they could not establish injury presumably under Clapper. According to the Court, plaintiffs did have sufficient injuries for standing purposes because they suffered costs “including unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills and late payment charges or new card fees.”
Even though Target argued vehemently that plaintiffs failed to plead that these charges were not reimbursed, the Court held that this requirement which stems directly from Clapper, set a “too high a standard,” in essence rejecting the Clapper opinion.
Target also argued that plaintiffs could not bring negligence claims because they failed to allege that their damages were caused by the breach of the duty alleged. Again, Judge Magnuson simply ignored this deficiency by citing that plaintiffs had damage and had plausibly alleged the breach of duty by pleading that Target owed a duty to disclose the breach timely, and to exercise care in safeguarding data. The problem, of course, is that the plaintiffs failed to allege the causal connection between the two, an issue the Court just didn’t address.
The Court also found that whether there existed some implied contract between the consumers and Target was a jury issue, and that plaintiffs claim that they would have not have shopped at Target had they been advised of the breach in a more timely fashion was sufficient to support an unjust enrichment claim. The court did reject the plaintiffs’ theory that they were overcharged for the price of goods because Target included a premium for data security.
All in all, these decisions represent a stunning departure from traditional views Courts have taken in data breach cases. Given the size of the Target breach and its notoriety, we fear that these opinions will open the floodgates even wider for class action litigation based on such breaches and the misuse of data. It is equally troubling that the Minnesota Court essentially ignored the Supreme Court’s decision in Clapper in much the same way other Courts seem to be ignoring the Supreme Court’s holdings in Dukes and Comcast.
When these cases are analyzed together it seems that 2014 may prove to be significant in the advancement of data privacy and breach class actions. The trilogy of decisions and precedents found in Dukes, Comcast, and Clapper might not be enough to overcome populist or consumer oriented Judges and Justices’ views that the certification of single issue or no damage cases is appropriate under Rule 23. SCOTUS did not help limit the potential of this coming storm when it denied Whirlpool’s writ of certiorari following the 6th Circuit’s stubborn refusal to accept the hint that it should de-certify the Whirlpool case based on the Supreme Court’s decision in Comcast.