Minnesota Judge Approves Class Action Suit Against Target
A judge for the U.S. District Court of Minnesota granted class action certification for a suit against Target Corp. on Tuesday in regards to the retail giant’s 2013 data breach.
After 11 law firms gave the initial push for class action certification in late August, its lead plaintiffs—four banks and a credit union—may soon receive restitution for damages incurred from the breach. The amount requested for damages has not yet been specified.
“This important ruling brings financial institutions one step closer to collectively holding Target accountable for its unprecedented data breach,” co-lead plaintiffs Charles Zimmerman and Karl Cambronne said in a statement. “Per the court’s order, we will provide notice to financial institutions that are now members of this class.”
According to the judge’s order, Target contested the class action certification on the belief that any damages needed to be calculated on a bank-by-bank basis. Judge Paul Magnuson of St. Paul disagreed with this viewpoint, meaning that potentially thousands of banks that reprinted credit and debit cards can join action in this suit.
It was noted in the court filing that a September 2014 survey by American Bankers Association found that “nearly every card” of the 40 million cards affected by the breach had been reissued, although another of Target’s contentions was that banks were never required by contract, law or regulation to reissue any cards. Target claimed that banks reissuance was a business decision, and therefore not an injury cost.
Judge Magnuson stated in his court order, “the absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards, both debit and credit, in the weeks after the breach.” Target spokeswoman Molly Snyder refuted the judge's statement in regards to every single RedCard being reissued, saying in an email, “that did not happen.”
Camden Fine, president and CEO of Independent Community Banksers of America, expressed approval with the Court's decision in a statement. “U.S. District Judge Paul Magnuson was right to grant class-action status to the Target case,” he said. “Recent retailer data breaches have forced community banks to reissue more than 11.5 million debit and credit cards at a cost of more than $130 million.”
Additionally, Allan Erbsen, an associate professor at the Univeristy of Minnesota's law school, believes this won't be something Target can easily sweep under the rug. “The Court's certification order raises the stakes for Target,” Erbsen said, “which will now face extensive discovery, additional public scrutiny, and the risk of a large judgement.”
The newly established class action counsel will be suing on the grounds of Target’s violation of Minnesota’s Plastic Card Security Act. That statute states:
“No person or entity conducting business in Minnesota that accepts a credit or debit card in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data…subsequent to 48 hours after authorization of the transaction. […] Whenever there is a breach of the security of the system of a person or entity that has violated this section…that person or entity shall reimburse the financial institution that issued any credit or debit cards affected by the breach for the costs of reasonable action undertaken…”
Target spokeswoman Snyder said the retailer was “disappointed by the decision.” Moving forward, she added that Target would “evaluate [its] next steps” as it reviews the judge's ruling.