On September 15, 2015, U.S. District Judge Paul A. Magnuson certified a class of financial institution plaintiffs in the multi-district litigation pending in the District of Minnesota arising out of the 2013 Target data breach. The data breach affected approximately 40 million cardholders, and the certification of the financial institution class permits banks to move forward with recovering damages from Target that they incurred as a result of the breach, including fraud losses and costs in issuing replacement cards to consumers.
The banks have alleged that Target was negligent in securing its data and in responding to the breach. The Court rejected Target’s argument that the claims of the various banks would be governed by varying state laws, noting that Minnesota law would apply to the case as a result of Target’s contacts to Minnesota, including the fact that Target is based there and houses its payment card servers there. The Court also rejected Target’s argument that damages were speculative and that banks were not required to act in the way that they did following the breach, thereby leading to difficulties for the plaintiffs in proving injury and causation. Rather, the court found that the banks reissued nearly every card alerted on at the time of the breach, so there was no concern that the damages were speculative. The court noted that these damages were incurred at the time of the breach, and as a result of the breach.
Finally, the court noted that while damages could turn out to be too difficult to determine on a class-wide basis, that issue could be dealt with at later phase following a determination on liability if necessary. The case is In re: Target Corp. Customer Data Security Breach Litigation, Case No. 0:14-md-02522, pending in the U.S. District Court for the District of Minnesota.