By Thomas G. Wolfe, J.D.
Recently, as a plaintiff class in data-breach litigation, various financial institutions have been afforded an atypical vantage point in a class action. In the case of In re: Target Corporation Customer Data Security Breach Litigation, Judge Paul Magnuson of the U.S. District Court for the District of Minnesota granted class certification and the appointment of class representatives and counsel for a class of financial institutions that have brought lawsuits against Target Corporation in connection with the massive breach of the retailer’s computer network in late 2013.
According to the court’s recent ruling, the certified class of financial institutions is described as “[a]ll entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.” The plaintiff financial institutions issued payment cards, such as credit and debit cards, to consumers who used those cards at Target stores during the 2013 security breach of consumer-related data.
Among other things, the financial institutions allege that they suffered injury “in the form of replacing cards for their customers, reimbursing fraud losses, and taking various other remedial steps in response to the Target data breach.”
After a Judicial Panel on Multidistrict Litigation consolidated lawsuits concerning the data breach at Target, the case was separated into two “tracks”: one track for consumers and one track for financial institutions. While the track of consolidated cases for consumers has settled (pending final court approval), the track of consolidated cases pertaining to the financial institutions continues. The court appointed Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain as class representatives for the financial institutions.
In light of the Judge Magnuson’s recent ruling, the plaintiff class of financial institutions may proceed in the Multidistrict Litigation to advance their three state-law claims against Target for: (1) negligence in failing to provide sufficient security to prevent the computer hackers from accessing customer data; (2) violation of Minnesota’s Plastic Security Card Act; and (3) “negligence per se” for the violation of the Minnesota statute.
For more information about In re: Target Corp. (D. Minn.) subscribe to the Banking and Finance Law Daily.