Issuing Banks Obtain Class Certification in Target Data Breach MDL

09/25/2015

Financial institutions are moving forward in their multidistrict litigation (“MDL”) lawsuit against Target following the company’s 2013 payment card breach. Last week, a Minnesota federal district court certified a class of approximately 9,000 banks and credit unions that issued payment cards affected by the breach. The ruling is the first to grant class certification in litigation following a payment card compromise.

In late 2013, Target suffered a data breach impacting the payment card data of 40 million shoppers and the personal information of 70 million more. Following the breach, financial institutions that issued payment cards compromised in the breach (“Issuing Banks”) sued Target alleging that Target had been negligent in not providing sufficient security to prevent the breach, had violated Minnesota’s Plastic Security Card Act (“PSCA”), and had been negligent per se in violating the PSCA. The Issuing Banks sought to recover the losses they suffered in reimbursing card holders for fraudulent charges, reissuing payment cards, and engaging in various other remedial measures.

The majority of the Issuing Banks’s claims survived a motion to dismiss in December 2014, and in July 2015, they asked the court to certify a class “of all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.” Under Federal Rule of Civil Procedure 23(b)(3), a court may certify a class that meets the requirements of Rule 23(a)—commonly referred to as numerosity, commonality, typicality, and adequacy of representation—and when “the court finds that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.”

Objecting to class certification, Target argued that the class didn’t satisfy the commonality requirement of Rule 23(a) or the predominance requirement of Rule 23(b)(3). With respect to Rule 23(a)’s commonality requirement, Target argued that the Issuing Banks’ claims were not subject to classwide proof because the negligence claims arose under the laws of different states. The court, therefore, would have to conduct a choice-of-law analysis with respect to each Issuing Bank’s claims, making classwide treatment unworkable. Target also argued that the Issuing Banks could not rely on classwide proof to establish a prima facie case of negligence or a violation of the PCSA.

The court disagreed. It found that Target’s contacts with Minnesota were so strong that the court could constitutionally apply Minnesota law despite any conflicts among the laws of the class members’ home states. Thus, the court could apply Minnesota law to the Issuing Banks’ claims, obviating the need to conduct a choice-of-law analysis and allowing the court to adjudicate the Issuing Banks’ claims on a classwide basis. Likewise, the court rejected Target’s arguments that the Issuing Banks’s allegations regarding negligence and violation of the PCSA were not susceptible to classwide proof.

Target further argued that the Issuing Banks’ proposed class did not satisfy the predominance requirement of Rule 23(b). Among other things, Target argued that the Issuing Banks’ alleged damages could not be calculated on a classwide basis because losses that arose from reissuance of payment cards and reimbursement of fraudulent charges must be calculated on a bank-by-bank basis.

The court was not persuaded. Relying in part on the opinion of the Issuing Banks’ damages expert, the court held that damages could indeed be calculated on a classwide basis. Moreover, the court held, “even if the damages alleged here—reissuance costs and fraud losses—cannot ultimately be calculated on a classwide basis, class certification is still appropriate if the other certification factors are met and there is no risk that individual damages issues outweigh the classwide issues.” Alternatively, the court held that individual damages issues could be determined after resolution of the common liability issues if classwide damages “ultimately prove unworkable.”

The court’s decision marks an important milestone in data breach litigation and increases the litigation risk for companies that collect payment card data or other personal information. Given the court’s analysis, this case may serve as a model for plaintiffs seeking class certification in data breach litigation.

For a copy of the district court’s order, please click here. See our coverage of the consumer class action here.

For additional information, please contact one of the Haynes and Boone lawyers listed below.

Ronald W. Breaux
214.651.5688
ron.breaux@haynesboone.com


Thad Behrens
214.651.5668
thad.behrens@haynesboone.com

Daniel H. Gold
214.651.5154
daniel.gold@haynesboone.com


Emily Westridge Black
512.867.8422
emily.westridgeblack@haynesboone.com


Timothy Newman
214.651.5029
timothy.newman@haynesboone.com

 

Email Disclaimer