A federal court recently granted class certification to a group of financial institutions (the “Banks”) in the data breach case against Target Corporation (“Target”) arising from the December 2013 hacking of its computer system, which exposed the financial information of millions of customers. In re: Target Corp. Customer Data Security Breach Litigation, MDL Case No. 14-2522, 2015 U.S. Dist. LEXIS 123779 (D.Minn. Sept. 15, 2015). Specifically, the district court in Minnesota certified a Rule 23(b)(3) class defined as “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publically disclosed by Target on December 19, 2013.” Id. at *4. The Banks alleged three claims against Target: (1) negligence in failing to provide sufficient security to prevent the hackers from accessing customer data; (2) violation of the Minnesota Plastic Security Card Act (“PSCA”); and (3) violation of the PSCA as a per se violation.
In an attempt to defeat certification, Target argued that the Banks’ injuries were only the “risk of future harm” and not cognizable or susceptible to class-wide proof. Id. at *10. The court rejected this argument, holding that “this is not a case in which [the Banks have] yet to suffer harm.” Id. at *11. Citing a survey from the American Bankers’ Association, the court found that the Banks had to reissue “nearly every card” that was subject to an alert after the Target breach. This cost was borne by the Banks at the time of the breach and as a result of the breach. Id. at *11.
In response, Target argued that the Banks were not required by law, contract, or regulation to issue new cards in the aftermath of the breach. Instead, the Banks had made a business decision to reissue the cards, it argued. The court soundly rejected this argument: “The absurdity of this suggestion is evidence from the fact Target itself reissued all of its RedCards … in the weeks after the breach. Whether a specific action was legally mandated is not required to establish injury or causation.” Id. at *11-12.
In an attempt to defeat the commonality and predominance requirements of Rule 23, Target argued that the proposed class members were headquartered in different states, and each state had different negligence standards and those standards may conflict. Therefore, based on Target’s argument, class treatment of those claims was inappropriate because it would require the court to conduct a choice-of-law analysis for each Bank to determine which state’s negligence law applies.
Rejecting this argument, the court held that it could constitutionally apply Minnesota law because Minnesota had significant contact or a significant aggregation of contacts, creating state interests, and that such choice of law is neither arbitrary nor fundamentally unfair. Id. at *9. (Internal citations omitted.) Here, the court observed that Minnesota contacts in this action are “legion.” Id. Target is headquartered in Minnesota, its computer servers are in Minnesota, and the decisions regarding whether to thwart malware occurred largely in Minnesota. Applying Minnesota law comported with the Banks’ expectations: when dealing with a Minnesota corporation, it seemed likely that Minnesota law would apply to those dealings.
Target also argued that it was impossible to determine the Banks’ damages on a class-wide basis, arguing that the Banks could not demonstrate an “injury in fact.” Id. at *15-16. But the court held that “every financial institution whose customers’ cards were stolen in the breach suffered an injury in fact is readily apparent.” Target then claimed that the reissuance and fraud losses must be made on a bank-by-bank, loss-by-loss basis, making damages too individual for class-wide treatment, citing Comcast Corp. v. Behrend, 133 S. Ct. 1426, 1433 (2013).
However, the court rejected Target’s reading of Comcast and held that “even if the damages alleged here—reissuance and fraud losses—cannot ultimately be calculated on a class-wide basis, class certification is still appropriate if the other certification factors are met and there is no risk that individual damages outweigh the class-wide issues.” Id. at *19.