On September 15, 2015, the court presiding over the financial institutions data breach lawsuit arising out of the Target data breach granted the Plaintiffs’ motion for class certification. The practical implications of this decision are that financial institutions affected by the data breach will not be required to bring their own suit to recover damages. Theoretically, this would allow financial institutions that may not have otherwise filed an individual suit on their own to join the class action and recover damages as part of the class. The certified class includes all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.
The three claims that have been certified for class action treatment include:
(2) Violation of the Minnesota Plastic Security Cards Act (MPSCA); and
(3) Negligence per se predicated on violation of the MPSCA.
At the outset, the court dismissed Target’s argument that a class should not be certified because the court would be required to undertake a complex, individualized analysis regarding which state’s law would apply, which would be impracticable given the location of the various institutions affected. In rejecting this argument, the court noted that applying Minnesota law would comport with constitutional requirements given that Target along with its computer servers were located in Minnesota at the time of breach and the alleged wrongful acts occurred in Minnesota.
With respect to the elements of the negligence claim, Target argued that class-wide proof could not support the elements of injury or causation. The court recognized that, unlike the consumer related class that alleged a future harm, the financial institutions had suffered an injury in the form of reissuing cards and taking other actions to protect its customers. Target argued that the financial institutions were not required to take any action and thus the actions they did take were not proximately caused by the breach. Finding Target’s position absurd, the court noted that Target also reissued its own debit and credit cards after the breach.
The court similarly rejected Target’s arguments relating to the MPSCA and negligence per se claims, noting that the reasonableness of particular actions undertaken by the financial institutions, such as reissuance or credit monitoring, could be determined by proof on a class-wide basis.
Finally, Target argued that damages would need to be calculated on a bank-by-bank basis for each loss rendering the case unsuitable for class action status. While acknowledging that the damages sought may ultimately require proof on a more individualized basis, the court found that the Plaintiffs’ expert’s opinion stating it is possible to compute class-wide damages based on a common injury relating to reissuance and fraud losses was sufficient at this stage of class certification to proceed.
Although this decision presents a significant victory for Plaintiffs, the court may ultimately decide to decertify the class if it finds grounds to do so at a later stage of the litigation. Further, as the court noted, the court may also decide to decertify a damages class and stay the determination of the damages aspect of the case pending the liability phase if the damages issue becomes unworkable.