In a recent post, we discussed how plaintiff class members who have not suffered financial harm as a result of a data breach face challenges meeting the Article III standing requirement necessary to invoke a federal court’s jurisdiction. The 8th Circuit’s opinion In re Target Corp. Customer Data Security Breach Litigation highlights yet another hurdle such plaintiffs may encounter.
The well-documented Target data breach, first disclosed in 2013, affected the payment card data and personal information of up to 110 million Target customers. A class action was filed by 112 consumer representatives, each of whom allegedly suffered a financial loss. The parties reached a proposed settlement, the key factor being the establishment of a $10 million settlement fund. The fund would be distributed to class members with documented financial losses first, with the remainder distributed among those class members with undocumented financial losses. Critically, those class members without any financial losses would not receive remuneration from the fund, yet would be barred by the settlement from ever bringing a claim relating to the data breach.
The district court approved the settlement over the objections of a class member who had not suffered any financial loss and thus would not receive any payment from settlement fund. The objector appealed, arguing a separate subclass should have been created to represent the interests of class members who had not suffered any financial losses.
The 8th Circuit held that the district court erred by not conducting the “rigorous analysis” required by the Federal Rules of Civil Procedure (Rule 23(a)) prior to certifying the class. In remanding the case back to the district court, the Court did not offer an opinion on whether a class should ultimately be certified, but directed the district court to determine whether an intra-class conflict resulted from the proposed settlement and, if so, whether such a conflict prevented the class representatives from adequately protecting the interests of the class members who did not suffer any financial losses.
The 8th Circuit’s decision highlights that standing is not the only hurdle facing plaintiffs without any financial harm from a data breach. Such plaintiffs may have conflicts of interest with their class brethren who have suffered financial harm. The decision also casts a spotlight on a glaring inconsistency in plaintiffs’ counsel position in the case —that plaintiffs without financial losses suffered sufficient harm to possess Article III standing, but yet were not deserving of any financial relief for that harm.
Banks as data breach victims?
Another high-profile data breach also had recent developments on the settlement front. In 2014, Home Depot disclosed a data breach affecting the payment card data of over 50 million customers arising from vulnerabilities in its self-checkout point of sale devices.
In a settlement filed in federal court in early March, Home Depot agreed to pay $25 million to financial institutions that suffered losses for costs associated with replacing affected payment cards and covering fraudulent charges stemming from the data breach. This settlement is in addition to prior payments to MasterCard, Visa and other financial institutions exceeding $134 million relating to the breach. In total, Home Depot has paid far more to impacted financial institutions than to affected consumers.
Thus, while the impact of data breaches on consumers often draws the biggest headlines, this settlement is a potent reminder that a data breach’s greatest financial impact on the victim entity may arise from liabilities to financial institutions — although this comes with the considerable caveat that lost sales and consumer goodwill resulting from a data breach can be more difficult to measure.
Mark Mattingly and Matt Hafter are attorneys in Thompson Coburn’s Cybersecurity practice.