Target Customers Seek Class Actions Over Massive Credit Card Breach


Target customers have filed lawsuits in several states over a massive credit card security breach which occurred during the first three weeks of the holiday shopping season between November 27 and December 15. Hackers stole data from as many as 40 million credit and debit cards used at almost 1,800 Target stores. The cyber thieves obtained the information by placing malware onto computer systems at the checkout desks. The stolen data reportedly includes names, account numbers, expiration dates and some encrypted personal identification numbers (PINs).

The lawsuits, all of which seek class action status, have now been filed in Massachusetts, Florida, Washington, Illinois, California, Oregon, and Minnesota, the state where Target is based. The complaints broadly allege that Target failed to implement and maintain reasonable security procedures and practices. The California and Oregon complaints specifically state that, but for Target's negligence, the thieves could not have installed the malware on Target's point of sale machines that tracked customer payment information.

If the lawsuits are allowed to proceed as class actions, the potential number of plaintiffs could be in the millions, with the potential for total damages to be very significant - in the tens to hundreds of millions of dollars, and possibly higher. For a class action to proceed, Federal Rule of Civil Procedure 23(a) requires that the class meet several certification requirements. One such requirement is predominance - questions of law or fact for the class must predominate over questions affecting individual members. Defendants in a few recent large data breach cases, such as In re Hannaford Bros. Privacy Litig., 2:08-MD-1954-DBH (D.Me., Mar. 20, 2013), have successfully challenged class certification based on a lack of predominance. The court in In re Hannaford Bros. agreed with the defendants' contention that were the case to continue, it would need to engage in an individual assessment for each plaintiff to determine damages, and that therefore the predominance requirement was not met. Several courts have ruled differently, however, including in Harris v. comScore, Inc., No. 11-C-5807 (N.D.Ill., Apr. 2, 2013), in which the Northern District of Illinois granted class certification in a data breach class action. The court in comScore held that common issues predominated over individual differences and that a class action was therefore the fair and efficient method for plaintiffs to pursue their claims.

Target customers whose data was stolen face the specter of financial loss and identity theft, but the breach is recent, and it is too soon to know what the full impact might be. There are reports that stolen card numbers used at Target have shown up in underground markets where data is traded. In addition to seeking recompense for actual financial loss, plaintiffs in these lawsuits seek damages such as the expense of credit monitoring and unspecified "equitable relief." A court may rule that an individual analysis is necessary to determine what these damages entail for each plaintiff. However, a court may find that common issues predominate if specific evidence of class-wide damages develops, or there is a method of determining each class member's damages. It is likely that Target will challenge class certification in these cases, but the outcome is far from certain.