Court Allows Financial Institutions To Proceed With Data Breach Class Action Against Target

King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On December 2, 2014, a U.S. District Court in Minnesota ruled that a group of banks and other financial institutions (collectively, “FIs”) could proceed with a class action against large national retailer Target arising from the data breach Target sustained from a computer hacking in December 2013 that resulted in the theft of credit and debit card information for approximately 110 million of Target’s customers. The FIs had issued credit and debit cards to consumers whose financial data was stolen during Target’s data breach and they sought damages for losses resulting from the breach. See In re Target Corp. Customer Data Security Breach Lit., MDL No. 14-2522, 2014 WL 6775314 (D. Minn. Dec. 2, 2014).

The FIs’ suit alleged, in part, that negligent acts and omissions by Target resulted in a data breach that compromised consumers’ financial information. In moving to dismiss the allegations, Target argued that it submitted all consumer charges to a credit and debit card processor (an “acquirer bank”), who in turn processed the transactions with the FIs who had issued credit and debit cards to Target’s customers (the “issuer banks”). Target argued that the issuer FIs could not sue for negligence because Target had no direct relationship with the issuer FIs and thus, owed no duty of care.

The court denied Target’s motion to dismiss, finding that the FIs’ complaint pled sufficient facts to allege that Target’s conduct “created a foreseeable risk of the harm” and that the FIs were “foreseeable victims,” giving rise to a duty of care under Minnesota law. The court acknowledged that “third-party hackers’ activities caused [the] harm,” but found that the complaint sufficiently alleged that Target’s conduct “played a key role in allowing the harm to occur.” The court allowed the FIs’ claims of negligence and negligence per se, as well as violations of Minnesota’s Plastic Card Security Act, to proceed. The court dismissed the FIs’ claim of “negligent misrepresentation by omission,” but allowed the FIs 30 days to file an amended complaint that would address the deficiencies the court identified in that claim.

For a copy of the District Court’s decision, please click here.

Reporter, Mark H. Francis, New York, NY, +1 212 556 2117, mfrancis@kslaw.com.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide