On Thursday, the attorney for Target Corporation (“Target”) made oral arguments in support of its motion to dismiss consumer claims stemming from the data breach it suffered late last year when hackers stole financial and personal information of approximately 110 million consumers during the busy Christmas holiday season. Nearly 60 lawsuits were filed by consumers claiming that the data breach suffered by Target placed them at risk for identity theft and unauthorized charges, reduced their account access and impacted their credit. The cases were eventually consolidated in the U.S. District Court for Minnesota and are presided over by Judge Paul Magnuson. Target’s pending motion seeks to dismiss claims by consumers primarily for an alleged lack of standing because the consumer plaintiffs have not sufficiently alleged any actual, or future, injury or damages.
Target’s pending motion against consumer plaintiffs comes two weeks after Judge Magnuson delivered a significant victory to financial institution plaintiffs – issuer banks that provide credit to consumers and issue payment cards – by denying Target’s motion to dismiss the financial institution plaintiffs’ claims. The financial institution plaintiffs’ complaint asserted four claims against Target: (1) negligence for failure to provide security sufficient to prevent access to customer data; (2) violation of Minnesota’s Plastic Card Security Act (“PCSA); (3) negligence per se based on the alleged violation of the PCSA; and (4) negligent misrepresentation by omission based on Target’s alleged failure to inform banks of its alleged security deficiencies.
The financial institution plaintiffs allege that Target did not take the proper precautions in protecting its computer systems, delayed its response to the breach and disabled security components, which allowed hackers to install “malware” that collected customer’s payment information and personal data at the “point of sale” terminals. Target argued that the attack was caused by hackers and that it shouldn’t be held liable to financial institution plaintiffs following a data breach.
Judge Magnuson denied Target’s motion as to the negligence and negligence per se claims, and violation of the Minnesota PCSA. He granted the motion with regard to the financial institution plaintiffs’ negligent misrepresentation claim but allowed the financial institution plaintiffs the opportunity to file an amended complaint.
Judge Magnuson determined that Target had a duty to the issuer banks to ensure that customer credit and debit card data was adequately protected, finding that there was a foreseeable risk of injury to the financial institution plaintiffs if Target did not. The court also determined that although third party hackers caused the harm to the plaintiffs, Target contributed to the harm though its own inadequate data security protocols. Judge Magnuson further found that Target violated the PCSA when it briefly retained some of the customer’s financial data on its servers, which the hackers collected.
Importantly, Judge Magnuson’s decision provides clarity to the legal relationship that may exist between retailer/merchants and issuer banks and which could increase the liability of retailer/merchants to those banks if they fail to adequately safeguard consumer personal and financial information. Unlike consumers, banks can quantify specific damages such as expenses for replacing bank cards. In addition, the decision provides some guidance on the standard of care a court might require in assessing the adequacy and propriety of a company’s data security efforts, where the court determined that Target’s reduction of certain security procedures and failure to act promptly upon learning of the potential breach, could be found to be inadequate.
Target Expects a Better Outcome in Round Two
Target’s current motion is directed at consumers and alleges that consumers lack standing to assert their claims because they have not alleged facts sufficient to establish that they have been, or will be, injured by the data breach. In addition, Target argues that the data breach statutes of several of the states where plaintiffs’ transactions occurred do not allow for a private right of action. Target’s argument that the consumer plaintiffs lack standing to maintain an action due to a lack of actual injury or damages has been successfully advanced in data breach cases over the years and has resulted in many actions being dismissed at the pleadings stage.
Notably, Target’s argument that the consumer plaintiffs lack standing relies on a recent Supreme Court decision in Amnesty Int’l v. Clapper, which held that a plaintiff must establish that any alleged future injury is “certainly impending” to establish standing. Given that injury and damages claimed by data breach plaintiffs are often based on the mere possibility that a consumer’s personal and financial information may be used fraudulently in the future, Clapper’s “certainly impending” requirement imposes a high burden for plaintiffs to establish standing in data breach cases. Recent data breach cases where the defendants have relied on the “certainly impending” standard set forth in Clapper have been mixed, ranging from dismissals in data breach cases involving Neiman Marcus and Barnes & Noble to a rejection of the lack of standing argument in a data breach case involving Sony Corporation.
As a result, given the size of the data breach and facts involved in this litigation, the court’s decision on Target’s pending motion to dismiss has the potential to have a significant influence on the issue of standing to assert claims for injury in data breach cases. At the very least, it will add substantially to a growing list of district court cases that are likely to make their way through the federal appellate court system and on to the Supreme Court for clarity on this very important issue. Stay tuned.