Archives: Class Action Litigation

Card-issuing banks are forging ahead with their lawsuit against Target arising from the 2013 holiday shopping season data breach.  Their July 1 motion for class certification has just been unsealed, allowing a glimpse at plaintiffs’ version of the events during November and December 2013 that resulted in theft of payment card data for 40 million Target customers.

The Target data breach occurred after hackers were able to compromise the security of a Target refrigeration vendor.  The vendor’s log-in credentials to the Target computer system provided a portal to infiltrate Target and install malware on point-of-sale (“POS”) terminals that was used to record and steal customers’ card data.  In their class certification motion, the banks focus heavily on Target’s alleged data security failings.  They claim that Target retained unencrypted card data, disregarded warnings about malware targeting POS terminals, disabled security features that purportedly would have detected the POS malware, ignored alerts generated by its malware detection software, and failed to audit the vendor’s data security practices.  Little in the allegations is new, but the allegations are calculated to demonstrate that Target acted negligently in a fashion that consistently and adversely affected the entire putative class of card issuer banks.

To certify their proposed nationwide class, the card issuers will have to establish that choice of law principles allow application of Minnesota law to card-issuing banks located in all 50 states.  Were the court to find that each bank’s claim is subject to the law of its state in which it is chartered or has its principal place of business, the numerous and substantial differences in the laws of those states could preclude adjudication of all of the banks’ claims in a single class.

Otherwise, the linchpin of plaintiffs’ argument is that this case should be tried as a class action because all of the banks suffered common harms arising from the regulatory requirements that apply to compromised cards, including costs associated with card cancellation, notice to customers, account monitoring activity, and refunds for fraudulent charges.   Plaintiffs fail, however, to address predominance issues associated with the inability to determine whether fraud losses on compromised cards arose from the Target breach, or from theft of the card data somewhere else.  In In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D 389 (D. Mass. 2007), the court held that endemic fraud levels in the payment card industry made it impossible to determine with any certainty which losses result from a data breach, thereby requiring individualized proceedings on damages that preclude class certification.  Plaintiffs allege that their expert can accurately calculate which fraud losses were attributable to the Target breach.  It is likely that Target’s opposition papers have focused on this issue and will contest the ability to trace fraud losses to the Target breach.

Finally, plaintiffs’ papers ignore the question of whether resolution of claims in the federal court is superior to use of the Visa and MasterCard dispute resolution processes.  Although the recently-announced Visa settlement had not been finalized as of the July 1 filing of plaintiff’s motion papers, the earlier unsuccessful attempt to resolve claims through the MasterCard settlement process plainly demonstrates the availability of that process to resolve card issuer data breach claims.  Plaintiffs make no attempt to address that issue either.  Given their conclusion of the Visa settlement and renewed attempts to pursue a MasterCard settlement, Target is likely to argue that the availability of such processes mean a federal court class action does not afford a superior mechanism to resolve the claims of card-issuer banks.

Target’s opposition to the class certification motion was filed on August 5 but, like plaintiffs’ motion papers, was filed under seal.  Target’s papers will not be available to the public until redactions can be made to avoid disclosure of commercially sensitive information.

Target has announced that it has entered into a settlement with Visa to resolve claims of issuers of Visa credit and debit cards arising from Target’s November 2013 data breach.  The proposed settlement will pay issuers of Visa payment cards up to $67 million to reimburse losses associated with the theft of card numbers from Target POS terminals.  Unlike an earlier proposed $19 million settlement with MasterCard, the Visa settlement does not require card issuer approval.  The MasterCard settlement agreement terminated in May 2015 for failure to gain the required approval of issuers of 90% or more of the affected cards.  Additional details of this settlement will follow as they become available.

 

Neiman Marcus Petition Claims that Seventh Circuit Decision Invents Harm to Find Standing to Bring Data Breach Claims

Retailer Neiman Marcus has filed a petition seeking en banc review by the entire Seventh Circuit of the decision by a three-judge panel of that court in Remijas v. Neiman Marcus Group, LLC reversing dismissal of consumer data breach claims for lack of standing.   As we previously reported, the panel decision in Remijas held that injuries consisting of 1) lost time and money resolving the fraudulent charges, and 2) lost time and money protecting against future identity theft, were sufficient to confer Article III standing for consumers to bring suit.   In so ruling, the panel rejected the district court’s holding that plaintiffs’ allegations of potential future harms arising from stolen credit card numbers were too remote to satisfy the standing requirements set forth by the Supreme Court in Clapper v. Amnesty Intʹl USA, 133 S. Ct. 1138 (2013).  Continue Reading Neiman Marcus Chides Seventh Circuit Panel

Originally posted in Mintz Levin’s Health Law & Policy Matters Blog

Written by Jordan Cohen

In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on Friday – July 17, 2015 – that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (including medical conditions, medications, procedures, and test results).  Affected individuals include UCLA’s patients as well as providers that sought privileges at the health system.

As night follows day, by the following Tuesday – July 21, 2015 – UCLA became a defendant in a class action lawsuit after plaintiff Michael Allen filed the action in California federal court. The complaint alleges a number of violations related to the breach, including violation of California’s Confidential Medical Information Act. Continue Reading Data Breach = Class Action Suit. Again.

Seventh Circuit Rules Consumers Have Standing to Sue in Neiman Marcus Payment Card Data Breach Case

In Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit reversed a district court decision dismissing consumer payment card data breach claims for lack of standing.  The appellate panel held that injuries consisting of 1) lost time and money resolving the fraudulent charges, and 2) lost time and money protecting against future identity theft, were sufficient to confer Article III standing for consumers to bring suit.  The district court, following Clapper v. Amnesty Intʹl USA, 133 S. Ct. 1138 (2013), had construed plaintiffs’ allegations of potential future harms to be too remote to confer standing.  The Seventh Circuit distinguished Clapper, finding that Clapper does not foreclose suit based on all future harm, just suit based on speculative future harm.  Unlike Clapper, which concerned potential NSA interceptions of the plaintiffs’ communications, Remijas alleged actual theft of payment card data, making the potential for misuse of that information, in the Seventh Circuit’s view, not unduly speculative.  Accordingly, costs to avoid potential injury to consumers’ credit were deemed cognizable harm for purposes of Article III standing. Continue Reading Change in the Prevailing Winds in Consumer Data Breach Cases?

In its recently-filed motion to dismiss claims of card-issuing banks arising from the September 2014 theft of payment card data from Home Depot point of sale terminals, Home Depot employs an approach typically used to respond to consumer claims.  In payment card data breach cases, defendants typically argue that consumers lack standing to sue because card issuers hold consumers harmless for any fraudulent charges on their credit or debit cards.  Such standing arguments are not ordinarily advanced against the claims of the card-issuing banks that end up paying those bogus charges.  Home Depot, however, argues that the card issuer plaintiffs do not allege sufficient injury to have standing to bring suit in federal court.  In particular, Home Depot maintains that the card issuers’ consolidated complaint, despite listing 68 separate named plaintiffs, does not contain any specific allegations that identify with particularity what losses, if any, those plaintiffs suffered. Only two of the complainants 285 paragraphs allege the harms suffered by card issuers, but both do so without identifying which particular harms alleged had been sustained by any named plaintiffs.  Home Depot argues that the failure to plead the existence of concrete injuries suffered by named plaintiffs is fatal to the card issuers’ complaint.

In addition, Home Depot asserts that alleged losses incurred to avoid potential future harms – such as the cost of issuing new cards – are not cognizable injuries under the Supreme Court’s ruling in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013).  Clapper held that, to be sufficient to confer Article III standing, losses must be “fairly traceable” to a defendant’s purported wrongdoing.  Losses willingly incurred to protect against a possibility of future harm do not suffice.  See id. at 1152-53.  Quoting Clapper, 133 S. Ct. 151, Home Depot contends that the card issuers “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”   Thus, without conceding that other types of losses might confer standing, Home Depot argues that losses directed toward future harms, even if alleged with particularity, would be insufficient as a matter of law to confer Article III standing on the card issuer banks.

A second significant ground on which Home Depot seeks dismissal of the card issuers’ claims is lack of ripeness. This argument is premised on the complex and detailed rules governing the interrelationship between card issuing banks, banks that accept charges made on cards and the card brands that issue the cards.  Each of the card brands establishes a process for resolving claims relating to fraudulent charges made on their cards.  In its brief, Home Depot collectively refers to the ongoing adjudication of data breach claims under those roles as the “Card Brand Recovery Process.”  According to Home Depot, the Card Brand Recovery Process is ongoing and could substantially resolve card issuers’ claims.  At a minimum, Home Depot contends that card issuers would not be entitled to seek recovery in the consolidated federal court lawsuit that is duplicative of amounts awarded through the Card Brand Recovery Process.  Accordingly, Home Depot argues that the card issuers’ claims will not be ripe until the Card Brand Recovery Process has been completed and the extent of their injuries, if any, are then known.

The card brand claim adjudication process has already played a significant role in connection with card issuers’ claims in the consolidated data breach class action against Target.  In that case, Target attempted to obtain a global resolution of the claims of MasterCard-issuing banks through a settlement negotiated with MasterCard under its dispute resolution rubric.  The proposed settlement was conditioned on approval by issuers of at least 90% of the eligible accounts and failed due to lack of support by issuing banks.  Target’s lack of success in using the card brand dispute resolution process to dispose of card issuer claims casts some doubt on whether Home Depot’s ripeness argument, even if accepted, would facilitate a final resolution of claims outside of federal court.  Allowing the Card Brand Recovery Process to continue, however, could reduce the number of outstanding claims and yield more manageable proceedings in federal court.

The U.S. Office of Personnel Management (OPM) announced that hackers have stolen the personal information of approximately 4 million current and former federal employees, including names, birthdates and social security numbers.  OPM serves as the human resources department -and holds employee records – for the entire federal government, ranging from security clearances to the identities of covert CIA agents.  Every federal agency is potentially affected by this breach.  Notifications to affected employees will begin going out on Monday, June 8th, via email or US mail.  OPM will provide credit monitoring, identity theft insurance and recovery services for 18 months to affected individuals.

OPM is working with the Department of Homeland Security’s Computer Emergency Readiness Team – CERT – and the FBI to assess the full extent of the breach.  Early reports suggest that the breach originated in China.

Compounding the pain for OPM and the affected individuals is the revelation in OPM’s website  notice that the agency recently implemented an “aggressive effort” to update its network security.  Unfortunately, this effort only revealed the hack, but was not implemented in time to prevent it.

OPM’s breach follows a highly publicized IRS data breach, in which hackers accessed the personal information of 100,000 taxpayers and used it to file false refund requests.  In 2014 alone, the US Postal Service, White House, National Weather Service and US Department of State were all victims of cyber-attacks, some of them suspected of originating in China.

As of now, federal data breach numbers pale in comparison to private sector breaches, but it will be interesting to see if these incidents create a credibility problem for federal regulators, who can’t seem to keep their own systems secure.  According to Mark Robinson, a former federal prosecutor and cyber defense litigator at Mintz Levin:

At a minimum, the government’s own inability to keep it’s cyber security house in order will be used defensively by private companies breach victims as a glowing example of how easily hackers can get in to even the most fortified government controlled computer systems.

It will also be interesting to see if this breach results in private litigation on behalf of affected employees, particularly those whose safety and ability to do their jobs depends on the secrecy of their identities.  According to Kevin McGinty, Mintz Levin privacy class action litigator:

As day follows night, class actions typically follow data breaches.  Here, most OPM employees would have a difficult time alleging any injury sufficient to confer standing to sue.  The most plausible harm that could flow from this data breach, identity theft, is addressed by the services already being offered by OPM.  Unless a would-be litigant could allege some additional and imminent risk of harm that would not be covered by the services that OPM is offering, a private lawsuit would be likely to face dismissal for lack of standing.

We will have more on this story as it evolves.

Home Depot has staked its defense of consumer claims arising from the 2014 theft of payment card data from the home improvement retailer on the asserted absence of injuries sufficient to confer standing to sue.  Because consumers rarely sustain out-of-pocket losses when their payment card numbers are stolen, lack of standing is typically the primary ground for seeking dismissal of consumer data breach claims.  While many courts have been receptive to arguments seeking dismissal of consumer data breach claims for lack of standing, decisions in recent cases – including, most significantly, the Target data breach case – have found that non-pecuniary harms constitute sufficient injury to confer standing.  The survival of the consumer claims will depend on which line of precedent the Home Depot court follows. Continue Reading Home Depot Moves to Dismiss Consumer Data Breach Claims for Lack of Standing

Target’s attempt to resolve claims of MasterCard-issuing banks through a $19 million private settlement with MasterCard has been terminated for failure of issuers of 90% of the affected cards to accept the settlement by the Wednesday, May 20 acceptance deadline.  Press reports on Friday, May 22 indicated that both Target and MasterCard had confirmed that failure to meet the 90% requirement had voided the settlement.  The termination of the settlement means that MasterCard issuing banks no longer have the option to accept a portion of the proposed $19 million MasterCard settlement pool to settle their claims against Target.

For now, the claims that would have been resolved in the MasterCard settlement continue to be the subject of the consolidated class action pending in federal court in Minnesota.  It remains to be seen whether Target and MasterCard will go back to the drawing board to craft a new and richer settlement, or if Target will abandon its attempt to obtain a private settlement and pursue resolution of the MasterCard claims through the federal court lawsuit.

Senior U.S. District Court Judge Paul Magnuson issued an order  on Thursday, May 7 denying a request by counsel for card issuer banks to enjoin the settlement of data breach related claims negotiated between Target and MasterCardAs we have previously reported, the proposed settlement would provide compensation to MasterCard-issuing banks for fraud losses and the cost of reissuing credit and debit cards.  Banks that agree to accept the settlement are required to release all data breach claims against Target arising from compromised MasterCard accounts.  Crediting substantive objections to the proposed settlement, Judge Magnuson wrote that “[t]he Court agrees with Plaintiffs’ counsel that the terms of the settlement do not appear altogether fair or reasonable.”  He also signaled disapproval of conducting settlement negotiations outside of the court proceedings without participation by or notice to class counsel, stating that “the way this issue has arisen is neither fair nor is it how the Court expects attorneys to conduct themselves in litigating matters before the Court.”  Nonetheless, Judge Magnuson concluded that he was powerless to enjoin the settlement, insofar as Fed. R. Civ. P. 23, which governs class actions, empowers parties to settle claims that are the subject of a class action privately, without court approval, at any time prior to certification of a plaintiff class.  “Before a class is certified,” he wrote, “a Court’s authority over settlements such as these is limited to curing communications that constitute ‘actual or threatened misconduct of a serious nature.’”  He concluded, however, that Target’s and MasterCard’s communications with card issuers concerning the settlement were not so misleading or deceptive that the Court would be empowered to enjoin the solicitation of card issuers to participate in the settlement.  Accordingly, the judge declined to enjoin the Target-MasterCard settlement.

It is unclear whether class counsel intend to seek interlocutory appellate review of Judge Magnuson’s order.  Such review is highly unusual and difficult to obtain.

As a result of this ruling, the settlement process under the Target-MasterCard settlement agreement can continue to go forward.  In order to participate in the settlement, issuer banks must affirmatively elect to join the settlement and provide releases to Target.  Target can walk away from the settlement if issuers of fewer than 90% of the affected payment card accounts opt into the settlement.  It is likely that class counsel will encourage issuer banks to decline the settlement and continue to participate in the class action.  The success or failure of such a campaign will determine whether MasterCard-related claims continue to be litigated in federal court before Judge Magnuson.  Also unclear at this point is whether a similar settlement is in the works between Target and Visa to resolve the claims of Visa-issuing banks and, if so, what the terms of that settlement will be.