On December 2, 2014, the U.S. District Court for Minnesota issued its Memorandum and Order [1] in the “Financial Institution Cases” against Target which granted in part and denied in part Target’s Motion to Dismiss. Target’s motion sought dismissal of a class action complaint filed by a number of banks related to the December 2013 attack by hackers resulting in the massive breach of customers’ credit/debit card information. The banks’ class action seeks damages related to the costs incurred when the banks issued new cards and reimbursed fraudulent charges incurred by customers. Target’s motion sought to dismiss all claims brought by the banks, including claims for negligence, a violation of Minnesota’s Plastic Security Card Act, negligence per se, and negligent misrepresentation by omission. The Court’s Order allows the banks’ class action to move forward.
The December 2, 2014 decision [1] provides significant analysis of the issues concerning data breach cases and undoubtedly will be discussed over the next few months as other courts are set to rule in data breach cases across the country. In particular, the Court found the banks were able to survive Target’s Motion to Dismiss on the following grounds:
- Count I: Negligence in failing to provide sufficient security to prevent hackers from accessing customer data: In addressing the banks’ negligence count, the Court held “[a]t this stage of the litigation, [the banks] have plausibly pled a general negligence case.” The banks’ complaint alleged Target had a duty to safeguard its customers’ data, and Target breached its duty when it purposely disabled some of the security measures that could have prohibited a breach. Therefore, Count I of the banks’ complaint survived Target’s Motion to Dismiss.
- Count II: Violation of Minnesota’s Plastic Security Card Act: This Act, similar to laws found in many other states, prohibits the retention of information stored on a credit or debit card. In finding this cause of action survived Target’s Motion, the Court focused on the banks’ allegations that Target retained credit/debit card information on its servers in violation of the Act. The Court found the banks were able to at least state a claim under this Act based on allegations that the hackers obtained some information from Target’s servers.
- Count III: Negligence Per Se: Target’s only argument with respect to the banks’ negligence per se count relied solely upon the premise that the banks’ claim related to the Minnesota Plastic Security Card Act was defective and must fail as a matter of law. Accordingly, when the Court held that the banks’ claim under the Act survived, the Court held the negligence per se claim must also survive.
While the Court found these three causes of action survived Target’s Motion to Dismiss, the Court granted Target’s Motion seeking dismissal of the negligent misrepresentation by omission claim. The banks alleged that Target was liable for failing to disclose “material weaknesses” in its data security systems. First, the Court held the banks’ complaint adequately pled a duty of care with allegations “that Target’s public representations regarding its data security practices were misleading.” However, the Court granted Target’s Motion to Dismiss on this count because the banks’ “complaint contains no indication that [the Banks] relied on any of the alleged omissions.”
Throughout the Order [1], the Court held Target owed a duty of care to its customers. Specifically, in finding the banks plausibly alleged that Target owed a duty of care, the Court reasoned that imposing such a duty “will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.” The Court further found that “[a]lthough the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur” by disabling security features and failing to heed warning signs. The Court’s reasoning may be the first step toward determining what constitutes a breach of the duty of care in data breach claims.
This decision provides key insight into how courts may be expected to analyze these newly emerging issues. While this decision is not a definitive ruling as to the issues in this case, the Court’s finding that Target could owe a duty to the banks to protect their customers’ information is significant not only to this case, but to other data breach cases pending across the country.
Of course, we will continue to provide updates on all developments in this case.