Archives: Class Action Litigation

Senior U.S. District Court Judge Paul Magnuson issued an order  on Thursday, May 7 denying a request by counsel for card issuer banks to enjoin the settlement of data breach related claims negotiated between Target and MasterCardAs we have previously reported, the proposed settlement would provide compensation to MasterCard-issuing banks for fraud losses and the cost of reissuing credit and debit cards.  Banks that agree to accept the settlement are required to release all data breach claims against Target arising from compromised MasterCard accounts.  Crediting substantive objections to the proposed settlement, Judge Magnuson wrote that “[t]he Court agrees with Plaintiffs’ counsel that the terms of the settlement do not appear altogether fair or reasonable.”  He also signaled disapproval of conducting settlement negotiations outside of the court proceedings without participation by or notice to class counsel, stating that “the way this issue has arisen is neither fair nor is it how the Court expects attorneys to conduct themselves in litigating matters before the Court.”  Nonetheless, Judge Magnuson concluded that he was powerless to enjoin the settlement, insofar as Fed. R. Civ. P. 23, which governs class actions, empowers parties to settle claims that are the subject of a class action privately, without court approval, at any time prior to certification of a plaintiff class.  “Before a class is certified,” he wrote, “a Court’s authority over settlements such as these is limited to curing communications that constitute ‘actual or threatened misconduct of a serious nature.’”  He concluded, however, that Target’s and MasterCard’s communications with card issuers concerning the settlement were not so misleading or deceptive that the Court would be empowered to enjoin the solicitation of card issuers to participate in the settlement.  Accordingly, the judge declined to enjoin the Target-MasterCard settlement.

It is unclear whether class counsel intend to seek interlocutory appellate review of Judge Magnuson’s order.  Such review is highly unusual and difficult to obtain.

As a result of this ruling, the settlement process under the Target-MasterCard settlement agreement can continue to go forward.  In order to participate in the settlement, issuer banks must affirmatively elect to join the settlement and provide releases to Target.  Target can walk away from the settlement if issuers of fewer than 90% of the affected payment card accounts opt into the settlement.  It is likely that class counsel will encourage issuer banks to decline the settlement and continue to participate in the class action.  The success or failure of such a campaign will determine whether MasterCard-related claims continue to be litigated in federal court before Judge Magnuson.  Also unclear at this point is whether a similar settlement is in the works between Target and Visa to resolve the claims of Visa-issuing banks and, if so, what the terms of that settlement will be.

In the wake of Target’s April 15 announcement of a private $19 million settlement of the data breach claims of MasterCard-issuing banks, counsel representing the putative card issuer class in the consolidated Target data breach litigation moved to enjoin the proposed settlement, arguing that it is an improper end-run around the Minnesota federal court’s adjudication of card issuer claims.  Target has responded that the settlement appropriately uses dispute resolution processes in MasterCard’s operating agreements to address breach-related losses, and employs a process that has been endorsed by other federal courts in prior data breach cases.  The motion awaits action by Judge Magnuson, who is presiding over the consolidated cases pending against Target. Continue Reading Target and Card Issuers Dispute Use of MasterCard Settlement to Resolve Data Breach Claims

Target confirmed a report in the Wednesday edition of The Wall Street Journal of a settlement with MasterCard concerning claims of card-issuers arising from Target’s 2013 data breach.  The data breach, which occurred during the post-Thanksgiving holiday shopping season, compromised over 40 million credit and debit cards used to make purchases at Target stores. The settlement has not been presented to the court for approval but was described in a press release issued by Target after the close of business on Wednesday.  The settlement proposes payment of up to $19 million (previous reports had indicated a fund of $20 million) to reimburse issuers of MasterCard-branded payment cards for costs arising from reissuance of cards compromised by the data breach.  Target’s obligation to proceed with the settlement is conditioned on acceptance by issuers of at least 90% of the eligible payment card accounts.  Target indicates in its press release that it intends to “defend itself vigorously against any assessments made by MasterCard on behalf of MasterCard issuers that do not accept their offers.”  In order to accept Target’s offer, settling issuers must agree to release all claims that they may have against Target arising from the data breach.  The press release also states that the potential $19 million cost of the MasterCard settlement is included in the total cost of the data breach disclosed Target’s public securities filings (reported at 2014 year end to be $252 million before insurance offsets).

According to Target’s Wednesday press release, issuers that accept the MasterCard settlement are expected to be paid “by the end of the second quarter of 2015.”  Based on the description of the settlement and the expected timing, it appears that the MasterCard settlement will take place entirely outside of the card issuer class action that is still pending in federal court in Minnesota, although any releases given in connection with the MasterCard settlement would finally resolve claims of settling issuers as to MasterCard payment cards compromised by the breach.  The proposed settlement would not affect outstanding claims on behalf of issuers of other types of payment cards (including Visa, Discovery and American Express cards).

According to a report published today in The Wall Street Journal, Target and MasterCard are close to reaching a settlement of the claims of MasterCard-issuing institutions in connection with Target’s 2013 data breach.  The settlement would reimburse the cost of reissuing debit and credit cards compromised by the breach, as well as a portion of the resulting fraudulent charges made using stolen payment card numbers.  A $20 million settlement would be comparable to the amount paid by TJX Cos. to MasterCard in connection with the 2008 TJX data breach.  News of a potential card issuer settlement comes less than one month after Target and class counsel filed papers seeking court approval of a proposed class settlement of consumer claims arising from that same data breach.  Sources informed the Wall Street Journal that a definitive MasterCard settlement could be announced as soon as this week.

On March 18, 2015 – just three months after denial of a motion to dismiss consumer claims arising from Target’s 2013 data breach – Target and the consumer class filed papers seeking approval of a settlement.  The proposed settlement agreement creates a  $10 million cash fund to be paid out to class members claiming actual damages arising from the settlement.  Settlement funds will be distributed in a claims-made process to be run by a settlement administrator (the cost of which will be borne by Target).  The maximum claim amount is $10,000.  Claims without supporting documentation are capped at lower dollar amounts.  Unclaimed funds will not revert to Target, but will be redistributed to class members submitting claims or as otherwise directed by the Court.  The settlement also calls for non-cash relief consisting of the adoption of certain data security protection practices and appointment of a chief information security officer.  Finally, class counsel have indicated that they will apply for $6.75 million in attorneys’ fees.

Why the quick settlement?  Continue Reading Precedent and the Price Explain Why Target and the Consumer Class Agreed to an Early Data Breach Settlement

In a recently-released Form 8-K filing announcing fourth quarter and year-end financial results, Target Corporation reported that expenses incurred in 2014 relating to its 2013 data breach totaled over $191 million.  Those expenses were offset by $46 million in insurance proceeds, resulting in a $145 million charge against Target’s 2014 operating results.  The expenses incurred in 2014 were in addition to $61 million in breach-related expenses incurred in 2013 which, after receipt of $44 million in insurance proceeds, yielded $17 million in net breach-related expenses for Target in 2013.  In all, Target has incurred $252 million in costs arising from the data breach through the end of 2014 which, after receipt of $90 million in insurance proceeds, has resulted in total net expenses to Target in 2013 and 2014 of about $162 million. Continue Reading Target Data Breach Price Tag: $252 Million and Counting

By now (unless you have been under a snow drift), you have likely heard about the apparent intrusion into a database at the nation’s largest health insurer, Anthem, Inc.  Rather than reiterate the facts as currently known (see Anthem’s dedicated website for updates), we’ll look at the fallout and what’s next. Continue Reading The Anthem Data Breach: The Fallout and What’s Next

Last week the United States District Court for the District of New Jersey dismissed, with prejudice, class action claims against Google and Viacom concerning targeted advertising and the online tracking of children through cookies.  Perhaps surprisingly, the claims did not involve allegations that the parties violated the Children’s Online Privacy Protection Act (COPPA).  The suit arose from allegations that when users register on Viacom’s Nick.com website, they are asked to input their gender and birthday and create a username.  Viacom collects this information and gives each user a unique internal code that reflects their gender and age.  Viacom then places a cookie on each user’s computer, which tracks the user’s IP address, browser settings, unique device identifier, certain system and browser information, and the URLs and videos requested from Viacom’s children’s websites.  Viacom would share with Google its unique internal code, along with the record of what parts of the site users interacted with, and Google would place its own cookie on each user’s computer.  Google and Viacom would then use this information to target the user’s with advertising.

The plaintiff’s alleged violations of the Wiretap Act, Stored Communications Act, California’s Invasion of Privacy Act, the Video Privacy Protection Act (VPPA), New Jersey’s Computer Related Offenses Act (CROA), and two New Jersey torts, including Intrusion upon Seclusion.  The plaintiffs did not allege violations of the Children’s Online Privacy Protection Act (COPPA).  In July 2014, the Court dismissed with prejudice all claims except the VPPA claim against Viacom and the CROA and Intrusion upon Seclusion claims against both defendants, about which the court allowed the plaintiffs to amend their complaint.

In January 2015, the court dismissed the amended complaints with prejudice.  With regard to the VPPA claim against Viacom, the court found that the plaintiffs had not alleged sufficient facts to show that the information collected by Viacom could actually identify the plaintiffs.  The Court noted that the VPPA requires disclosure of personally identifiable information (PII) concerning a consumer, but that there is no support for the proposition that PII includes the kind of information Viacom collected and shared, such as IP address, gender, and age.  Further, the court found that this information was insufficient to identify an individual plaintiff and a video that plaintiff watched, as required for a violation of the VPPA to be found.  Therefore, the court holds that the VPPA claim fails. Continue Reading Viacom and Google Win Important Dismissal in Online Tracking Class Action

Written by Kevin McGinty

A recent ruling by Federal District Judge Paul Magnuson will permit most of the consumer claims in the Target data breach litigation to survive Target’s motion to dismiss.  This most recent ruling follows on the heels of the court’s December 2 decision partially denying Target’s motion to dismiss consolidated complaint of the banks that issued the credit and debit cards that were subject to the breach.  The late 2013 data theft that gave rise to the consumer and issuer bank claims was caused by malware placed by hackers on Target’s point-of-sale (“POS”) terminals.  The malware allowed the hackers to record and steal payment card data as customers’ credit or debit cards were swiped.  In the consolidated consumer complaint, 117 named plaintiffs allege that Target wrongfully failed to prevent or timely disclose the data theft.  Plaintiffs also contend that Target failed to disclose the purported insufficiency of Target’s data security practices.  The consumers assert claims under the laws of 49 states and the District of Columbia for negligence, breach of contract, breach of data notification statutes and violation of state unfair trade practice statutes.  The consumer complaint also purports to assert those claims on behalf of a putative plaintiff class consisting of every Target customer whose credit or debit card information was stolen in the data breach. Continue Reading Consumer Claims Survive Motion to Dismiss in Target Data Breach Class Action

Written by Ernie Cooper

Businesses that engage in fax advertising and solicitation should pay careful attention to the recent ruling by the Federal Communications Commission clarifying that even fax advertisements sent with the prior express invitation or permission of the recipient must include an opt-out notice that: (1) is clear and conspicuous and on the first page of the ad; (2) states that the recipient may request the sender not send any future ads and that failure to comply with an opt-out request within 30 days is unlawful; and (3) contains a telephone number and fax number for the recipient to transmit an opt-out request.

Because there had been some confusion about whether the opt-out requirement applied to solicited fax advertisements, the FCC granted a retroactive waiver of the requirement to 24 companies that had asked for the clarification, allowing them until April 30, 2015, to come into full compliance with the opt-out requirement.

The FCC also said that it would entertain similar requests from other parties for retroactive waiver of the rule, but warned that it expected those parties “to make every effort to file such requests prior to April 30, 2015.”  It said that such requests would be adjudicated on a case-by-case basis.  The FCC recently asked for public comment on retroactive waiver petitions filed in November by eight additional fax advertisers.

There has been no confusion about the requirement to include an opt-out notice in unsolicited fax advertisements sent to persons with whom the sender has an existing business relationship or “EBR,” and the FCC window for waiver requests does not apply to any violation of those rules.  Sending an unsolicited fax advertisement to a person with no EBR remains prohibited.

Fax advertising and telemarketing calling campaigns have increasingly been the subject of class action suits filed under the Telephone Consumer Protection Act (TCPA), underscoring the importance of understanding and applying the rules – even where apparent permission to send the fax or make the call has been obtained.