On September 15, 2015, Justice Paul A. Magnuson of the United States District Court, District of Minnesota granted class certification to banks that issued payment cards in the payment card data breach that was publicly disclosed by Target on December 19, 2013.
The Judicial Panel on Multidistrict Litigation consolidated lawsuits regarding the breach in the Minnesota court. The case then separated into two “tracks” — one for consumers and one for financial institutions. While the consumer action was settled, the action by the financial institutions continued.
Those institutions had issued debit and credit cards to consumers who, in turn, had used those cards at Target during the period of the breach. Following the breach, the banks reissued the cards, at their cost, which they sought to recover from Target.
The financial institutions alleged that Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data. They also alleged that Target violated Minnesota's Plastic Security Card Act.
Target's focus in defending the certification motion was that there was no question of law or fact common to the class which predominated over questions affecting the individual members, and that the class action was not superior to other available methods in the adjudication of the allegations.
Specifically, Target argued that because the banks were themselves domiciled in different states, different laws of negligence would apply, such that any question of law was not in fact common. The Court rejected that argument, holding that the law of the State of Minnesota would apply to all.
Target also argued that the banks' decision to reissue the cards was a business decision, for which it should not be liable in law. As the Court noted, the absurdity of that position was made evident from the fact that Target reissued its own debit cards in weeks after the breach.
Plaintiffs alleged that Target had also violated Minnesota's Plastic Card Security Act, which governed the kind and quality of customer data that retailers could retain, and which required that those who breached the legislation reimburse “reasonable” costs. Target argued that whether each bank's actions were “reasonable” within the meaning of the statute had to be judged on a bank by bank basis, and that hence there was no common factual question.
The Court disagreed. It noted that whether particular actions — reissuance, blocking accounts, reimbursing fraudulent charges, paying for customers fraud monitoring — were reasonable actions in the face of the data breach, could be determined on a class-wide basis, and need not be determined with respect to each financial institution.
On the issue of damages, Target had argued that there were contributory fault defences that were unique to each bank, such that damages were not common. The Court saw this for what it was — a classic argument of contributory negligence or failure to mitigate damages, neither of which related to the underlying liability for the data breach.
On the related issue whether reissuance costs and fraud losses were determinable on a classwide basis, the Court noted that even if these damages could not be calculated on a classwide basis, class certification was still appropriate if the other factors for certification were met and there was no risk that individual damages outweighed the classwide issues.