On December 19, 2013, Target announced that its computer systems had been breached and its consumers’ credit and debit card information had been compromised. Following this announcement, over 100 lawsuits were filed against Target by plaintiffs claiming to have incurred losses as a result of this data breach.
Among the plaintiffs filing suit against Target were a number of financial institutions whose lawsuits were subsequently consolidated in an action before the U.S. District Court in Minnesota. Each of these financial institutions claimed that they were forced to pay for, among other items, fraudulent charges their customers incurred as a result of credit and debit card information being compromised in Target’s data breach. In their lawsuit, the financial institutions argued that because Target failed to take precautions to protect its consumers’ data, Target — not the financial institutions — should ultimately be held liable for these damages.
The ensuing lawsuit was aggressively litigated by both sides. For example, Plaintiffs alone served over 100 subpoenas, took 36 depositions, and reviewed approximately 1.5 million electronic files and documents during the course of discovery. In addition to conducting its own discovery, Target likewise moved to dismiss the financial institutions’ complaint for failure to state a claim. Although Target was successful in dismissing part of the financial institutions’ complaint, in an Order dated December 2, 2014, United States District Judge Paul A. Magnuson allowed the majority of the financial institutions’ lawsuit against Target to proceed.
On December 1, 2015, after multiple years of litigation, Target and the financial institutions entered into a settlement agreement pursuant to which the financial institutions agreed to dismiss their complaint against Target. In return, Target agreed to pay $20.25 million to affected financial institutions, $19.11 million to MasterCard Inc. card issuers, and plaintiffs’ legal fees, which are expected to be substantial. On December 2, 2015, Judge Magnuson preliminarily approved the parties’ settlement agreement, and scheduled a final approval hearing for May 10, 2016.
Shortly after Target’s settlement was reported, the National Association of Federal Credit Unions (NAFCU) issued a statement acknowledging the settlement and reiterating its call for the enactment of a federal data security bill. This bill, as envisioned by the NAFCU, would impose national data security measures on retailers and merchants (similar to those already imposed on credit unions under federal law) and hold these entities accountable for damages resulting from data breaches of their systems. Further, if a data breach results in litigation, the NAFCU’s model data security bill would require the retailer or merchant who incurred the breach to prove they took all necessary precautions to guard consumers’ personal information in order to avoid resulting liability.