Card-issuing banks are forging ahead with their lawsuit against Target arising from the 2013 holiday shopping season data breach. Their July 1 motion for class certification has just been unsealed, allowing a glimpse at plaintiffs’ version of the events during November and December 2013 that resulted in theft of payment card data for 40 million Target customers.
The Target data breach occurred after hackers were able to compromise the security of a Target refrigeration vendor. The vendor’s log-in credentials to the Target computer system provided a portal to infiltrate Target and install malware on point-of-sale (“POS”) terminals that was used to record and steal customers’ card data. In their class certification motion, the banks focus heavily on Target’s alleged data security failings. They claim that Target retained unencrypted card data, disregarded warnings about malware targeting POS terminals, disabled security features that purportedly would have detected the POS malware, ignored alerts generated by its malware detection software, and failed to audit the vendor’s data security practices. Little in the allegations is new, but the allegations are calculated to demonstrate that Target acted negligently in a fashion that consistently and adversely affected the entire putative class of card issuer banks.
To certify their proposed nationwide class, the card issuers will have to establish that choice of law principles allow application of Minnesota law to card-issuing banks located in all 50 states. Were the court to find that each bank’s claim is subject to the law of its state in which it is chartered or has its principal place of business, the numerous and substantial differences in the laws of those states could preclude adjudication of all of the banks’ claims in a single class.
Otherwise, the linchpin of plaintiffs’ argument is that this case should be tried as a class action because all of the banks suffered common harms arising from the regulatory requirements that apply to compromised cards, including costs associated with card cancellation, notice to customers, account monitoring activity, and refunds for fraudulent charges. Plaintiffs fail, however, to address predominance issues associated with the inability to determine whether fraud losses on compromised cards arose from the Target breach, or from theft of the card data somewhere else. In In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D 389 (D. Mass. 2007), the court held that endemic fraud levels in the payment card industry made it impossible to determine with any certainty which losses result from a data breach, thereby requiring individualized proceedings on damages that preclude class certification. Plaintiffs allege that their expert can accurately calculate which fraud losses were attributable to the Target breach. It is likely that Target’s opposition papers have focused on this issue and will contest the ability to trace fraud losses to the Target breach.
Finally, plaintiffs’ papers ignore the question of whether resolution of claims in the federal court is superior to use of the Visa and MasterCard dispute resolution processes. Although the recently-announced Visa settlement had not been finalized as of the July 1 filing of plaintiff’s motion papers, the earlier unsuccessful attempt to resolve claims through the MasterCard settlement process plainly demonstrates the availability of that process to resolve card issuer data breach claims. Plaintiffs make no attempt to address that issue either. Given their conclusion of the Visa settlement and renewed attempts to pursue a MasterCard settlement, Target is likely to argue that the availability of such processes mean a federal court class action does not afford a superior mechanism to resolve the claims of card-issuer banks.
Target’s opposition to the class certification motion was filed on August 5 but, like plaintiffs’ motion papers, was filed under seal. Target’s papers will not be available to the public until redactions can be made to avoid disclosure of commercially sensitive information.