A Minnesota court recently agreed that customers filing a class action against Target should be allowed to pursue their claims of damages related to personal information lost during the retailer’s 2013 data breach, which affected about 110 million customers.
Consumers alleged that Target had violated consumer protection laws in 49 states, data breach laws in 38 states, breached a duty to disclose, and breached a series of contracts, both legal and implied with the owners of the lost data. United States District Court in Minnesota commented in its decision, “Target seeks dismissal of all claims, contending that the 121-page, 356-paragraph Complaint lacks sufficient detail to support plaintiffs’ allegations.”
According to Target, the plaintiffs did not satisfactorily proven they had suffered any injury as a result of the breach. The Court disagreed, in a decision written by Judge Paul Magnuson.
“Plaintiffs have alleged injury,” Magnuson said. “Indeed, paragraphs 1.a through 1.g and 8 through 94 of the Complaint are a recitation of many of the individual named Plaintiffs’ injuries, including unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees. Target ignores much of what is pled, instead contending that because some Plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts, Plaintiffs have insufficiently alleged injury. These arguments gloss over the actual allegations made and set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage. Plaintiffs’ allegations plausibly allege that they suffered injuries that are “fairly traceable” to Target’s conduct.”
The Court’s consideration of the claims against Target illustrate the differences and difficulties in enforcement and application of both consumer protection statutes and data breach laws among the states where affected plaintiffs reside – or do not reside, in the case of a few states.
“As Target undoubtedly knows, there are consumers in Delaware, Maine, Rhode Island, Wyoming, and the District of Columbia whose personal financial information was stolen in the 2013 breach. To force Plaintiffs’ attorneys to search out those individuals at this stage serves no useful purpose,” said Magnuson, countering Target’s argument that the laws of these states should not be invoked when no named plaintiffs live in any of them.
Based on individual state laws, the Court dismissed some claims alleging negligence, breach of implied contract and economic loss. Plaintiffs alleged that they were “overcharged” because prices paid at Target included a premium to assure data security, an assurance they say was violated. They also alleged that had they known Target would be reckless about data security, plaintiffs would not have shopped there.
The Court granted Target’s motion to dismiss on the overcharging theory, given that all customers pay the same prices, regardless of whether they pay cash or credit. It allowed plaintiffs to proceed with claims of damage relating to the “would not have shopped” notion.
Although the Court agreed that many of the claims should proceed to the class-certification stage at the least, it also granted Target’s motions to dismiss a few claims brought in states that do not allow class actions under their consumer protection statutes — Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, and Tennessee. Another two, Ohio and Utah, only allow class actions over deceptive acts under their consumer protection laws. Although the Target case is being heard in federal court, the Court followed a series of other decisions that found that when states create a private right of action to enforce a particular law and prohibit class actions, the ban holds up in federal court.
The Court dismissed claims under the data breach statutes of Arkansas, Connecticut, Idaho, Massachusetts, Minnesota, Nebraska, Nevada, and Texas, due to language stating that only the state attorney general can bring claims under those statues. An ambiguous law in Colorado resulted in the allowance of the plaintiffs’ claim, but a similar issue in Rhode Island resulted in dismissal of that claim. Claims under data-breach laws in 26 other states will proceed, the Court ruled. Target could face claims in state courts despite their dismissal from this case, the Court noted.