Target’s Consumer Class Action Settlement: A New Way to Resolve Big Data Breach Cases?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/targets-consumer-class-action-settlemen-88012/

Many will recall the 2013 holiday shopping season when Target announced
that cyber thieves had accessed and stolen as many as 70 million customer
credit and debit card numbers and extracted personal information for
another 40 million customers. It remains one of the largest reported data
breaches in U.S. history.  Because it directly impacted so many consumers,
the “Target breach” brought the topic of consumer data protection into the
headlines like never before.

Soon after its disclosure of the breach, Target was hit with multiple class
action lawsuits by both consumers and financial institutions, and faced
several investigations by state and federal regulators. But while the
investigations and the financial institution class actions continue, it
appears that consumer class actions may soon be resolved.

Notably, the proposed consumer class action settlement was announced not
long after the Court ruled the consumer class actions cases had largely
survived Target’s motion to dismiss. In December of 2014, District Judge
Paul A. Magnuson ruled in In re: Target Corporation Customer Data Security
Breach Litigation, (D. Minn 2014) that the consumer plaintiffs had standing
to pursue their data breach claims against Target through a consolidated
class action.

The Court’s Order – that the consumer litigation had largely passed the
threshold standing test — seems to have been a catalyst for the relatively
quick and somewhat unusual settlement proposal for the entire consumer
class litigation. On March 19th, 2015, Judge Magnuson preliminarily
approved the parties’ proposed settlement agreement for the consumer class
action wherein Target agreed to pay up to $10 million to compensate class
members who could prove “substantiated losses” as a result of the breach.
Thus, a customer who can prove, through “reasonable documentation”, that
his or her identity was actually stolen and experienced actual,
substantiated losses is eligible for reimbursement of up to $10,000 from
the settlement fund.

The parties could very well have spent the next several years, and much
more than $10 million, litigating the issues of how, and to what extent,
the purported class of up to 110 million plaintiffs suffered actual,
compensable harm as a result of the breach. In the wake of the Supreme
Court’s decision in Clapper v. Amnesty International (2013), data breach
plaintiffs in general bear the burden to prove they have standing to sue
over a breach by showing how the event caused them more than a mere fear of
future harm. Yet courts are still crafting a modern view of compensable
injury in this context, with cases like In re Sony Gaming Networks and
Customer Data Security Breach Litigation (9th Cir. 2014) holding that a
“credible threat” of loss following a breach satisfies Clapper. Rather than
litigate a high-profile test case for the compensability of wrongful
disclosure of sensitive information, the parties here opted for what
appears to be a more efficient resolution that only compensates class
members with currently provable financial losses.

Businesses and the plaintiffs’ bar alike can view the Target settlement as
a possible model for efficient dispute resolution in future large data
breach cases. The parties agreed to a settlement amount calculated to
compensate a plausible minority subset of class members who can prove they
actually suffered tangible financial harm as a result of the breach. Of
course, such a relatively small settlement fund may not have been realistic
if the hackers actually had utilized financial information for more than a
small fraction of the millions of consumer class members – but there is no
indication that actual wide-spread identity theft occurred following the
Target breach.

In other consumer data breach cases, it remains to be seen whether the
requirements for establishing compensable harm will be relaxed. In the
meantime, however, businesses who find themselves in Target’s position may
consider a similar settlement approach as being a pragmatic, reasonable
method to more quickly bring closure to costly, time-consuming and
potentially brand-damaging litigation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!