Jessica Karmasek Sep. 18, 2015, 10:55am


MINNEAPOLIS, Minn. (Legal Newsline) - A federal judge, in an order this week, said a class action lawsuit brought by banks and financial institutions against retailer Target over a 2013 data breach can proceed.

The banks allege, among other things, they were forced to replace credit and debit cards for their customers and reimburse fraud losses as a result of the data breach, which occurred between Nov. 27 and Dec. 15, 2013 -- the peak of the year’s holiday shopping season.

After the Judicial Panel on Multidistrict Litigation consolidated lawsuits regarding the breach in the U.S. District Court for the District of Minnesota, the case was separated into two “tracks”: one for consumers and one for financial institutions.

The consumer action has settled, pending final court approval. Judge Paul A. Magnuson, in a 16-page order entered Tuesday, agreed to certify the class in the financial-institution track.

Target had argued the class could not be certified because there is no classwide proof supporting the banks’ negligence claims. Such claims are subject to the laws of different states, the company said.

Magnuson disagreed, saying the wholesale application of Minnesota law is indeed appropriate.

“Target is headquartered in Minnesota; its computer servers are located in Minnesota; the decisions regarding what steps to take or not take to thwart malware were made in large part in Minnesota,” the judge wrote.

The company also had argued that the banks’ injuries are “risk of future harm” injuries that are not cognizable or susceptible of classwide proof.

Not so, Magnuson said in his order.

“There is a fundamental difference between the injury claimed in the consumer cases on which Target relies for this argument, in which the risk of future harm is a possibility that one’s financial information might at some point in the future be misused, and the injuries the Plaintiffs allege to have suffered,” the judge explained. “Most importantly, this is not a case in which Plaintiffs have yet to suffer any harm.

“According to a September 2014 American Bankers Association survey, banks reissued ‘nearly every card’ that was subject to an alert after the Target breach. This is not a ‘future harm.’ This is a cost borne at the time of the breach and as a result of the breach.”

The judge shot down Target’s notion that reissuing cards was simply a “business decision” and not an injury proximately caused by the breach.

“What Target suggests is that, because there was no requirement to act, financial institutions should have done nothing in the face of dire alerts regarding the data breach issued by the card-issuing companies and by Target itself and the known potential consequences for the institutions’ customers,” he wrote. “The absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards, both debit and credit, in the weeks after the breach.”

Magnuson explained that whether a specific action was legally mandated is not required to establish injury or causation.

“Some action on the part of the financial institutions was certainly warranted, and a reasonable jury could so find,” he wrote.

In further arguing against class certification, Target said damages must be calculated on a bank-by-bank basis, thus making damages “too individual” for classwide determination.

Magnuson said although the financial institutions’ damages may ultimately require some individualized proof, it is possible to prove classwide common injury and “reliably compute” classwide damages.

“Should classwide damages ultimately prove unworkable, a damages class can be decertified and damages questions stayed for determination after the liability phase concludes,” the judge noted.

Magnuson also appointed class counsel in the case: Zimmerman Reed PLLP and Chestnut Cambronne PA as co-lead counsel and Reinhardt Wendorf & Blanchfield, Lockridge Grindal Nauen PLLP, Barrett Law Group PA, Levin Fishbein Sedran & Berman, Kessler Topaz Meltzer & Check LLP, Carlson Lynch Ltd., Scott + Scott LLP, Hausfeld LLP, and Beasley Allen Crow Methvin Portis Miles PC as co-class counsel.

A Target spokeswoman told Reuters earlier this week that the company was “disappointed” in the judge’s order, and would review the decision and consider its next steps.

From Legal Newsline: Reach Jessica Karmasek by email at jessica@legalnewsline.com.

More News