Case: In re: Target Corp. Customer Data Security Breach Litigation
Issue: Whether class certification of the financial institutions that issued payment cards compromised by the 2013 Target data breach is appropriate.
Case Summary: A Minnesota district court granted class certification to financial institutions that issued payment cards compromised by the 2013 Target data breach.
In their class certification motion, the financial institutions argued that Target was negligent in failing to provide sufficient cybersecurity to protect their data. They argued that class certification is appropriate because they suffered common injuries associated with replacing cards for their customers, reimbursing fraud losses, and taking remedial steps in response to the data breach.
The district court granted class certification, writing that “given the number of financial institutions involved and the similarity of all class members’ claims, the financial institutions have established that the class action devise is the superior method for resolving this dispute.”
In rejecting Target’s argument that the banks’ negligence claims were not subject to class-wide proof because the claims arose under different state laws, the court held that Minnesota law applies because Target is headquartered in Minnesota, its computer servers are located there, and it makes decision on cybersecurity there. The court also rejected Target’s argument that the banks’ claims were speculative. In citing ABA’s September 2014 survey, the court found that the banks “reissued nearly every card” subjected to the data breach. Finally, the court rejected Target’s argument that the banks were not required by law to issue new cards, writing that Target’s view was “absurd” given that Target reissued all of its own cards after the data breach.
Bottom Line: The court also named Zimmerman Reed and Chestnut Cambronne as class counsel and Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings of Lorain as class representatives.