Data Protection Report - Norton Rose Fulbright

The Eighth Circuit Court of Appeals last week reversed the district court’s approval of a settlement and settlement class in the consolidated consumer class action arising from Target Corporation’s 2013 security incident.  This decision provided a new perspective on a persistent dilemma in the evolving law of data breaches:  how to handle data breach victims whose data was compromised but not misused, and therefore they cannot show concrete monetary harm.  Here, that issue has at least temporarily derailed a multi-million settlement of the last major lawsuit arising out of Target’s high-profile incident.

The Target Incident

In the Target security incident, hackers gained access to the credit and debit card information of up to 110 million customers.  It resulted in over 100 lawsuits across the country, which were consolidated into one multi-district litigation in the United States District Court for the District of Minnesota.   The court grouped the cases into three categories:  those brought by consumers, those brought by financial institutions (such as the banks that issued the credit and debit cards that were compromised), and those brought by Target shareholders.  The financial institution suit has settled and the court has approved that settlement without objection; the shareholder derivative suit was dismissed without opposition after Target’s special litigation committee’s report concluded it was not in the company’s best interests to pursue the claims.

The Consumer Class Action Settlement

The consumer class action also settled under terms whereby Target committed to create a $10 million fund that would be used to pay consumers’ claims.  Affected consumers would be sent a claim form, asking if they suffered certain types of harm as a result of the security incident and if so, to provide any supporting documentation.  Those with documented out-of-pocket losses could obtain up to $10,000 in reimbursement; those who claimed they had suffered harm but could not document any losses would share equally in any funds remaining after payments to those with documented losses.  In addition, Target agreed to implement certain corporate security measures to help prevent against future security incidents.

Several class members objected to the settlement; the most detailed objection complained that the settlement improperly privileged some class members over others, among other things.  This argument was based on the objector’s admission that he had not suffered any of the many possible harms listed on the proposed claim form, such as time spent addressing unauthorized payment card charges, higher interest rates on a financial account, credit-related costs, or any “[o]ther costs or unreimbursed expenses as a result of the Target data breach.”  Based on his admission, the objector would not receive anything under the settlement, but would still be bound by it—including the provisions releasing all his claims (known or unknown) against Target.  Despite this objection, district court made final its prior, preliminary certification of the class and approved the settlement.  The objector then appealed.

The Eighth Circuit Decision

The Eight Circuit Court of Appeals reversed the district court’s certification of the settlement class, nullifying the district court’s approval of the resulting settlement.  The appellate court found that the district court’s order certifying the settlement class was perfunctory, and did not include the detailed analysis that was required.  The appellate court remanded the case to the district court to conduct a more thorough analysis, addressing the objector’s complaint that the class and its settlement did not properly address those who suffered no losses.

Though the court stated it was taking no position on the propriety of class certification, it noted that the objector’s arguments raised questions as to whether there was an “intraclass conflict” between members who had suffered losses and those that had not. If such a conflict existed, it jeopardized the class representatives’ ability to adequately represent the class, and potentially required the creation of one or more subclasses with independent representation.  These issues will need to be addressed by the district court on remand.

Our Take

The Eighth Circuit’s decision is yet another expression of a common question in the evolving body of law surrounding data breaches:   how do we address those instances where security was compromised, but we don’t know if a particular person’s data was stolen?  As we have explained in prior posts, this issue usually arises when individuals file suit in response to a data breach and cannot show monetary losses from a misuse of their data, leading to a question of whether they have standing to bring suit.

In the Target consumer class action, the issue arose because the parties broadly defined the settlement class as “[a]ll persons in the United States whose credit or debit card information and/or whose personal information was compromised as a result of the [Target] data breach.”  Target previously determined that the incident involved credit and debit card data from transactions from November 27 through December 18, 2013, so it implemented its class definition to include everyone who used their credit or debit card at a Target store in that time frame.  This meant that the class likely included many people whose credit card information was compromised but not misused, so they had no out-of-pocket losses.  In the parties’ settlement scheme such people received no compensation, but still granted broad releases to Target.  That issue was significant enough to derail the $10 million settlement, at least for now.  On remand to the district court, the parties and the court will need to address this issue.  The outcome could provide a blueprint for class settlements in future data breach cases.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.