Question of harm is front-and-center as Target data breach lawsuit approaches first major hurdle

3 November 2014. By Mike Swift.

For any company that has its computer systems hacked, exposing the personal information of its customers, the first line of defense in any resulting litigation is almost always the question of harm: To what degree can plaintiffs prove they were hurt by the exposure of their personal data?

So it is with the high-stakes litigation brought by consumers and banks against Target, which suffered a data breach that exposed the personal data of as many as 110 million of its customers late last year. With the plaintiffs facing their first major litigation hurdle in the next few weeks at a pair of hearings on Target’s motions to dismiss the case in US District Court in Minneapolis, the question of harm is front-and-center once again.

In many data breach cases, the alleged harm from the exposure of personal information is often speculative, an injury that may happen in the future through identity theft or fraudulent charges to a bank account or credit card. The prospective nature of the harm has made it difficult for many plaintiffs to gain Constitutional standing to bring litigation.

But in a brief filed over the weekend answering Target’s motion to dismiss the case, the 112 consumer plaintiffs told US District Judge Paul Magnuson that the harm they suffered is not speculative at all. They say it has already happened.

Target’s inadequate computer security hurt millions of Target shoppers around the country who had their personal finances damaged by the fraud committed by criminals outside the United States, the consumer plaintiffs said.

Even though their banks ultimately reimbursed the great bulk of the fraudulent charges, plaintiffs such as Brystal Keller said they had trouble in the interim making their rent or mortgage payments, or even feeding their children over the holidays, because of the financial chaos visited upon their bank accounts and credit scores by cyber-criminals who defeated Target’s substandard security.

After shopping at a Target store in Missouri last year, Keller had fraudulent charges totaling about $700 placed on her account from Target stores in New York and South Carolina, resulting in her bank freezing her ATM card and access to her account from Dec. 26 until Jan.21.

“As a result, she missed a rent payment, a car loan payment and a washer and dryer payment, resulting in unreimbursed fees of $150, $34 and $15, and had trouble putting food on the table for her family during the holidays,” the plaintiffs said in their reply to Target’s motion to dismiss the case.

Other named plaintiffs talked about grandparents being unable to buy Christmas presents, credit score reductions that torpedoed plans to buy a car, and the emptying of more than $3,600 from one woman’s child-support debit card issued by the state of Illinois, resulting in missed tuition payments and depleted savings.

“All plaintiffs suffered imminent, certainly impending injury arising from the substantially increased risk of future fraud, identity theft and misuse now that their personal information is in the hands of criminals who sold it on the black market,” the consumer plaintiffs said.

Target told Magnuson in its motion to dismiss the consumer complaints in October that the consumer plaintiffs “do not allege facts sufficient to show that any injuries could have been caused by the intrusion; their allegations of future and present injuries do not establish standing; and they cannot show they are entitled to injunctive relief.” Target has declined to comment on the case, citing a policy of not speaking about pending litigation.

In preparation for the Dec. 11 hearing in Minneapolis, the consumer plaintiffs also picked up on a recent ruling by a federal judge in Silicon Valley which may have undermined a potent weapon for defense lawyers in data-breach litigation, an area of the law that remains unsettled.

The US Supreme Court, in a 2013 decision in Clapper v. Amnesty International, found that a prospective injury must be “certainly impending” to qualify a plaintiff for standing in a lawsuit.

The “certainly impending” standard has been used by a number of data breach defendants to prevail in recent motions to dismiss data breach litigation.

However, US District Judge Lucy Koh, in a ruling in September that denied a motion by Adobe Systems to dismiss a lawsuit brought in the wake of a breach of Adobe’s online software store, found that because hackers targeted Adobe in 2013 for the express purpose of stealing data for financial crimes, and because stolen data later appeared for sale on the Internet, that breach met the “certainly impending” standard for harm.

Like the Adobe breach, which affected about 38 million people, data stolen in the Target breach has already shown up on the Internet, the Target consumer plaintiffs said.

For that reason, “the danger that plaintiffs’ stolen data will be subject to misuse can plausibly be described as ‘certainly impending,’” the Target consumer plaintiffs said, quoting Koh’s Adobe ruling.

Target is also facing litigation brought by banks and other financial institutions, who may have an easier case to make because they can point to the costs they incurred for replacing millions of payment cards. The banks have a Nov. 21 hearing date before Magnuson on Target’s motion to dismiss their claims.

Indeed, Target is pursuing a different argument to dismiss the banks’ claims. Target said in its motion to dismiss filed in September that the banks’ claims are dependent “on there being a never-before recognized ‘special relationship’ between merchants, like Target, and payment card issuers, like the banks.” Target argued that banks that issue credit cards and retailers such as Target have no direct dealings with one another during a payment card transaction.
The Target litigation is being closely watched.

The scale of the breach triggered hearings in Congress and renewed calls to update payment card technology from 1970s-vintage magnetic strips to an embedded chip and PIN technology that would require a customer to know a password as well as possess the electronic credentials of the chip.

Receive MLex Editor's Picks in Your Inbox

Complete this form to receive emails from MLex with selected highlights from our global coverage of regulatory risk and opportunity, as well as upcoming events, special reports and exclusive interviews.