Target Breach Lawsuits ConsolidatedBanking Suits Seek Recovery of Expenses
Dozens of class action lawsuits filed on behalf of banking institutions, consumers and shareholders against Target Corp. in the wake of the retailer's massive breach are being consolidated into three groups.
See Also: Rethinking Endpoint Security
In their lawsuits, banking institutions claim Target should be responsible for card re-issuance and replacement expenses that card issuers have incurred as a result of the retailer's breach, which is estimated to have exposed some 40 million debit and credit cards (see: Suits Against Target Make 'Statement').
A statement from the U.S. District Court in Minnesota notes: "The court will appoint lead and liaison counsel for each of the three groups of plaintiffs, in addition to supervising lead and liaison counsel for all plaintiffs."
More than 140 lawsuits, including 29 brought on behalf of banks and credit unions, were consolidated into three groups before U.S. District Judge Paul Magnuson on May 14, according to local news publication Pioneer Press.
On April 2, the Judicial Panel on Multi District Litigation determined that the lawsuits involve common questions of fact "arising from a data security breach at stores owned and operated by Target between Nov. 27, 2013, and Dec. 15, 2013," according to the U.S. District Court in Minnesota. The judicial panel also found that "centralization will eliminate duplicate discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary."
More information on the lawsuits and court proceedings can be found here.
Next Steps in the Case
Cybersecurity attorney Joseph Burton, managing partner of the San Francisco office for law firm Duane Morris, says the judge's consolidation and subdivision of the lawsuits is a common practice.
"When multiple lawsuits are filed in different courts, the parties or the court may seek to consolidate all of the similar, but, in fact, discrete cases together into one single case," says Burton, who's not involved in the Target cases.
The first steps in the litigation will involve a determination of whether the plaintiffs in each subcase constitute a class within the meaning of the federal rules, Burton says. "Class certification is a complex legal and factual issue which will have significant impact on the course and potential outcome of the cases," he says. "In large litigation like this, determination can oftentimes dictate the ultimate disposition of the cases."
Next steps will likely involve the preparation and filing of motions to dismiss by Target and other defendants on the grounds that the complaint fails to state an offense, Burton says, or that one or more of the causes of action alleged are deficient for a variety of reasons.
"Such motions could be heard either before or after the question of class certification is decided," he says, citing the recent decision by a federal district judge to dismiss the majority of a consolidated class action lawsuit that was filed against TRICARE, the military health program, and Science Applications International Corp. in the wake of a 2011 data breach that affected nearly 5 million individuals (see: Most Claims in TRICARE Breach Dismissed).
"There the court found that many of the class representatives could not demonstrate harm and therefore lacked standing to bring the lawsuit," Burton says. "This required their dismissal from the suit, raised questions about the other plaintiffs' standing, and the ultimate viability of the entire lawsuit."
Still, Burton says it's difficult to say when and precisely how any similar motions will be brought in the Target case. "Such motions are legally complex and heavily fact-dependent," he says. "But it is a safe bet that they will be brought. ... The real maneuvering and fighting is about to begin."
Banks Taking Legal Action
Putnam Bank, a $451 million community bank based in Connecticut, was among the first to file a class action suit against Target, claiming the retailer should compensate affected banks for expenses associated with card re-issuance, closing accounts, reimbursing customers for unauthorized transactions and other breach-recovery-related losses.
"Target's failure to adequately safeguard customer confidential information and related data and Target's failure to maintain adequate encryption, intrusion detection, and prevention procedures in its computer systems caused the losses hereinafter set forth," Putnam Bank notes in its claim.
Pennsylvania-based First Choice Federal Credit Union, an $18 million institution based in New Castle, and Alabama State Employees Credit Union, a $212 million institution based in Montgomery, filed similar suits against Target, claiming the retailer should compensate them for breach-related expenses.
And on Feb. 13, Wisconsin-based Integrity First Bank, an $80 million institution based in Wausau, filed a class action suit with a Wisconsin consumer against Target for compensation related to the breach.