Many will recall the 2013 holiday shopping season when Target announced that cyber thieves had accessed and stolen as many as 70 million customer credit and debit card numbers and extracted personal information for another 40 million customers. It remains one of the largest reported data breaches in U.S. history. Because it directly impacted so many consumers, the “Target breach” brought the topic of consumer data protection into the headlines like never before.
Soon after its disclosure of the breach, Target was hit with multiple class action lawsuits by both consumers and financial institutions, and faced several investigations by state and federal regulators. But while the investigations and the financial institution class actions continue, it appears that consumer class actions may soon be resolved.
Notably, the proposed consumer class action settlement was announced not long after the Court ruled the consumer class actions cases had largely survived Target’s motion to dismiss. In December of 2014, District Judge Paul A. Magnuson ruled in In re: Target Corporation Customer Data Security Breach Litigation, (D. Minn 2014) that the consumer plaintiffs had standing to pursue their data breach claims against Target through a consolidated class action.
The Court’s Order – that the consumer litigation had largely passed the threshold standing test — seems to have been a catalyst for the relatively quick and somewhat unusual settlement proposal for the entire consumer class litigation. On March 19th, 2015, Judge Magnuson preliminarily approved the parties’ proposed settlement agreement for the consumer class action wherein Target agreed to pay up to $10 million to compensate class members who could prove “substantiated losses” as a result of the breach. Thus, a customer who can prove, through “reasonable documentation”, that his or her identity was actually stolen and experienced actual, substantiated losses is eligible for reimbursement of up to $10,000 from the settlement fund.
The parties could very well have spent the next several years, and much more than $10 million, litigating the issues of how, and to what extent, the purported class of up to 110 million plaintiffs suffered actual, compensable harm as a result of the breach. In the wake of the Supreme Court’s decision in Clapper v. Amnesty International (2013), data breach plaintiffs in general bear the burden to prove they have standing to sue over a breach by showing how the event caused them more than a mere fear of future harm. Yet courts are still crafting a modern view of compensable injury in this context, with cases like In re Sony Gaming Networks and Customer Data Security Breach Litigation (9th Cir. 2014) holding that a “credible threat” of loss following a breach satisfies Clapper. Rather than litigate a high-profile test case for the compensability of wrongful disclosure of sensitive information, the parties here opted for what appears to be a more efficient resolution that only compensates class members with currently provable financial losses.
Businesses and the plaintiffs’ bar alike can view the Target settlement as a possible model for efficient dispute resolution in future large data breach cases. The parties agreed to a settlement amount calculated to compensate a plausible minority subset of class members who can prove they actually suffered tangible financial harm as a result of the breach. Of course, such a relatively small settlement fund may not have been realistic if the hackers actually had utilized financial information for more than a small fraction of the millions of consumer class members – but there is no indication that actual wide-spread identity theft occurred following the Target breach.
In other consumer data breach cases, it remains to be seen whether the requirements for establishing compensable harm will be relaxed. In the meantime, however, businesses who find themselves in Target’s position may consider a similar settlement approach as being a pragmatic, reasonable method to more quickly bring closure to costly, time-consuming and potentially brand-damaging litigation.
