On March 19, 2015, a Minnesota federal judge granted preliminary approval of Target Corporation’s (Target) proposed $10 million settlement of a class action lawsuit, which arose out of a 2013 data breach that compromised personal information of roughly 110 million of Target’s customers. The proposed settlement would pay out $10 million to the plaintiffs and up to $6.75 million in attorney fees. Consumers affected by the breach could be awarded up to $10,000 in damages each if they can prove damages.
This case is significant for two main reasons. First, the fact that the plaintiffs were able to defeat a motion to dismiss for lack of standing to sue indicates that the bar may be lowering for successfully alleging injury in data breach lawsuits. Second, the Court’s approval of the proposed settlement raises the question of whether the settlement amount will become a benchmark in future data breach cases.
Background of the Target Lawsuit and Settlement
During the 2013 holiday shopping season, hackers breached Target’s computer systems, stealing the personal information of approximately 110 million Target customers and compromising at least 40 million credit and debit cards. The plaintiffs brought a class action on behalf of the Target customers who were victims of that breach, alleging violations of consumer protection laws and data breach statutes, and alleging negligence in failing to safeguard customer data, among other claims. Target moved to dismiss the class action complaint on the grounds of lack of standing for failure to establish injury.
In December 2014, US District Judge Paul A. Magnuson denied Target’s motion to dismiss, concluding that the plaintiffs had successfully alleged injury that was “fairly traceable” to Target’s conduct such as unlawful charges, restricted or blocked access to bank accounts, and late payment charges or new card fees. In denying Target’s motion to dismiss, Judge Magnuson allowed the plaintiffs to proceed with a majority of their claims.
Target’s proposed settlement of $10 million for the consumer class action was revealed in a court filing on March 18, 2015 and granted preliminary approval on March 19. Under the agreement, Target will deposit $10 million into an escrow account to pay consumer claims for up to $10,000 per person. Consumers seeking to collect money will need to prove that they suffered cognizable damages such as unauthorized charges, card replacement fees, and late fees. Class members may also claim “lost time” damages, a relatively novel category of damages, of $10 an hour for up to two hours, of the time spent addressing the unauthorized charged on their accounts.
In addition, the proposal requires Target to change its security policies within 10 business days of the settlement becoming effective, and also requires the company to 1) appoint a chief information security officer; 2) maintain a written information security program; 3) maintain a process to monitor information security events and respond to such events; and 4) provide security training to its employees.
The December ruling that allowed the plaintiffs’ class action to proceed may represent a lowering of the bar for standing in data breach lawsuits, especially in light of prior data breach lawsuits where plaintiffs have struggled with proving actual monetary losses. The pending settlement does not cover the claims brought by the financial institutions for fraudulent charges against credit and debit cards compromised in the breach. The promptness with which Target settled this action may be a reflection of the strength of the claims brought by these financial institutions in their pending litigation.
The plaintiffs’ success in establishing standing, combined with Target’s willingness to settle promptly and the Court’s preliminary approval of up to $6.75 million in attorney fees, may encourage plaintiffs and attorneys to mount challenges to retailers that suffer data breaches in the future.
The final hearing on the settlement has been set for November 10, 2015. Arent Fox attorneys will continue to monitor the case and the related data breach lawsuits. For additional information about this issue, or for assistance with any related matters, please contact the authors of this alert or the Arent Fox professional who handles your matters.