A federal court recently granted class certification to a group of financial institutions (the “Banks”) in the data breach case against Target Corporation (“Target”) arising from the December 2013 hacking of its computer system, which exposed the financial information of millions of customers. In re: Target Corp. Customer Data Security Breach Litigation, MDL Case No. 14-2522, 2015 U.S. Dist. LEXIS 123779 (D.Minn. Sept. 15, 2015). Specifically, the district court in Minnesota certified a Rule 23(b)(3) class defined as “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publically disclosed by Target on December 19, 2013.” Id. at *4. The Banks alleged three claims against Target: (1) negligence in failing to provide sufficient security to prevent the hackers from accessing customer data; (2) violation of the Minnesota Plastic Security Card Act (“PSCA”); and (3) violation of the PSCA as a per se violation.
In an attempt to defeat certification, Target argued that the Banks’ injuries were only the “risk of future harm” and not cognizable or susceptible to class-wide proof. Id. at *10. The court rejected this argument, holding that “this is not a case in which [the Banks have] yet to suffer harm.” Id. at *11. Citing a survey from the American Bankers’ Association, the court found that the Banks had to reissue “nearly every card” that was subject to an alert after the Target breach. This cost was borne by the Banks at the time of the breach and as a result of the breach. Id. at *11. Continue Reading