Judge Certifies Target Data Breach Class

On September 15, 2015, Judge Paul A. Magnuson of the United States District Court for the District of Minnesota granted Class Certification in a data breach case against Target Corporation. The well-publicized breach occurred during the 2013 holiday shopping season when hackers gain access to Target’s computer system and extracted the financial information of more than 40 million customers.

Target was able to settle a class action filed by consumers; however, this case relates to claims brought by financial institutions who issued payment cards that were used by customers at Target stores. Class members alleged that they suffered injuries “in the form of replacing cards for their customers, reimbursing fraud losses, and taking various other remedial steps in response to the Target data breach.” Target’s arguments and the Court’s opinion focused on the two elements required by Rule 23(b)(3) of the Federal Rules of Civil Procedure (in addition to the preliminary requirements found in Rule 23(a)) of “predominance” (questions of law or fact common to the class predominate over questions affecting individual members) and “superiority” (a class action is superior to any other available procedural methods for adjudicating the controversy).

The Court rejected Target’s first argument that there is no “predominance” because the laws of different states might apply to the different class members by holding that it could constitutionally apply to law of Minnesota to all the class members in light of Minnesota’s significant contacts with the controversy. Most significantly, Target is headquartered in Minnesota and the hacked computer servers were located in Minnesota. Therefore, it would be appropriate and constitutional to exercise Minnesota’s long-arm jurisdiction over the entire controversy.

The Court also rejected Target’s argument that plaintiffs were seeking damages for “future harm” by noting that, while that argument might be compelling in consumer cases, it does not apply in cases brought by financial institutions where the financial institutions were required to reissue payment cards to their customers. The Court noted the “absurdity” of Target’s argument that reissuing the compromised cards was a “business decision” on the part of the financial institutions rather than an injury. The Court determined that a reasonable jury could find that re-issuing the cards, in light of the potential consequences of the data breach to their customers, was a warranted action on the part of the financial institutions. The Court also noted that the absurdity of Target’s argument was highlighted by the fact that Target itself reissued its store brand credit and debit cards.

Finally, the Court rejected Target’s arguments that the class should not be certified because damages cannot be determined on a class-wide basis. The Court held that, even if damages cannot be calculated on a class-wide basis, class certification is still appropriate as long as class-wide issues predominate over individual issues. Here, some proof was presented through an expert report that damages for reissuing costs and fraud losses could be proven and calculated on a class-wide basis, and even if they could not, the class could be decertified for purposes of proving damages after liability issues were determined using the class action procedure. After noting that Target only paid “lip service” to disputing the remainiprocedural hurdles to class certification, the Court decided to certify the class and appoint class counsel.

The case is In re Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (D. Minn. 2015).