Target Consumers Can Move Forward With Data Breach Claims, Court Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Dec. 19 — Approximately one year after Target Corp. disclosed that hackers had compromised the payment card and other personal information of tens of millions of its customers, a federal district court Dec. 18, 2014 permitted the majority of the claims of a putative class of consumers to proceed against the retailer.

At a Dec. 1, 2014, hearing on the motion to dismiss, Judge Paul A. Magnuson said he doubted Target's argument that its customers weren't harmed after the breach.

Here, the court said that the named plaintiffs had sufficiently alleged injury to establish standing to bring their claims, in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”

The court had previously allowed claims by banks against Target to proceed in a separate track of the consolidated litigation. In that Dec. 2 ruling, the court said that Target must defend itself against claims that its failure to shield computer systems allowed hackers to steal the account data of millions of shoppers, forcing banks to reimburse fraudulent charges and issue new credit and debit cards.

One Year Ago

The court called the Target data breach “one of the largest breaches of payment-card security in United States retail history.”

On Dec. 19, 2013, Target reported a data breach that may have compromised the personal information of millions of Americans over the 2013 holiday shopping season, including information on 40 million debit and credit cards. It later announced that the e-mail and other contact information on as many as 70 million customers may have been hacked.

Lawsuits soon followed. Multiple data breach complaints against Target filed by consumers, financial institutions and shareholders were consolidated in the U.S. District Court for the District of Minnesota. The consumer plaintiffs alleged that Target violated the consumer protection laws of 49 states and the data breach statutes of 38 states. They also brought claims for negligence, breach of implied contract, breach of contract, bailment and unjust enrichment.

The company said in August that it was facing $148 million in gross expenses related to breach, offset by $38 million in insurance coverage.

Statutory Claims

The court granted in part and denied in part the retailer's motion to dismiss the claims in the consumer track of the litigation.

The court dismissed several claims under state consumer protection statutes that it said don't provide a private right of action. It also ruled that the plaintiffs couldn't maintain a class action under several other state consumer protection statutes because those statutes prohibit class-action treatment of claims.

In addition, the court dismissed the plaintiffs' claims under the data breach notice statutes of Arkansas, Connecticut, Idaho, Massachusetts, Minnesota, Nebraska, Nevada, Texas and Rhode Island. It said that those states either permit enforcement only by the state's attorney general or another government official or are completely silent on enforcement.

Common Law Claims

The court found that the economic loss rule barred the plaintiffs' negligence claims under the laws of five states.

Although court said that the plaintiffs sufficiently alleged the existence and terms of an implied contract, it dismissed a separate breach of contract claim because the plaintiffs failed to plead the federal law with which Target allegedly didn't comply. It also dismissed the plaintiffs' bailment claim with prejudice “because there is no indication that Plaintiffs can plausibly allege the existence of a bailment in this case.”

The plaintiffs brought an unjust enrichment claim under two theories, first on the theory that they were overcharged and second on the theory that they wouldn't have shopped at Target had it timely notified customers of the breach. Although the court found the shopping theory plausible, it dismissed the portion of the unjust enrichment claim based on the overcharge theory.

The court said “the fact that all customers regardless of payment method pay the same price renders Plaintiffs' overcharge theory implausible.”

Heins Mills & Olson Plc, Nichols Kaster PLLP, Morgan & Morgan Complex Litigation Group PA, Girard Gibbs LLP, Milberg LLP and Stueve Siegel Hanson LLP represented the named plaintiffs and the proposed class. The following firms represented Target: Ropes & Gray LLP; Faegre Baker Daniels LLP; Morrison & Foerster LLP; Davis Wright Tremaine LLP; Armstrong Teasdale LLP; Hinckley, Allen & Snyder LLP; Mashoff Brennan; and Lugenbuhl, Wheaton, Peck, Rankin & Hubbard.

Full text of the court's opinion is available at


Request Bloomberg Law: Privacy & Data Security