LEGAL
During a time when news headlines are all but dominated by the word "Trump," many stories otherwise considered important may be drowned out amidst the clamor.
The February 1 ruling from the Eighth Circuit, In re Target Corporation Customer Data Security Breach Litigation, is such a story. The decision is the latest in the class action case against Target Corp. for the 2013 data breach that left up to 110 million Target customers' credit card and personal information compromised.
Within months of the breach's announcement, over 100 consumers filed multiple suits (later consolidated and granted class certification) against Target for, among other things, violation of state consumer protection laws and negligence. After the case survived Target's motion to dismiss, the parties eventually agreed to settle, which was approved by the district court.
Under the terms of the agreement, Target is to create a $10 million fund for the class, from which class members with documented losses would be paid first, after which class members with undocumented losses would be paid. Those members of the class who have not yet suffered losses from the data breach receive nothing from the fund.
Two class members each objected to the settlement for a number of reasons. For the purposes of this ruling, the objections of only one member, Leif Olson, are relevant. Specifically, Olson argued that the class could not be certified because "it failed to meet the basic prerequisites of Federal Rule of Civil Procedure 23(a)" – which mandates that the representative parties of the class seeking certification "will fairly and adequately protect the interests of the class."
Olson alleged that the interests of a so-called "zero-recovery subclass" were not being adequately protected by the representative parties, among whom there were no members of this "subclass." This subclass is identifiable as those consumers whose financial data was compromised in the breach, but had not suffered any financial loss because of it. The proposed settlement would bar any claims that they may have in the future if they did suffer harm, even though these individuals would not receive any financial compensation from the settlement barring their claims.
The Eighth Circuit held in its ruling that the district court failed "to rigorously analyze the propriety of certification," remanding the case for the court to conduct such an analysis under Rule 23(a). From the way that the opinion is written, the Eighth Circuit likely expects a proper such analysis to conclude that the interests of the "zero-recovery subclass" are not being adequately represented by the class representatives, and that a separate subclass should be created with separate representation.
Although this ruling may seem relatively inconsequential, it has the potential to dramatically shake the fate of not only the Target data breach settlement, but also any other future consumer data breach litigation.
The reason for this pertains to a simple statement made by an attorney for the class members during oral arguments at the Eighth Circuit: that 99% of the customers in the class action will get nothing from the settlement.
Why? Because data breaches generally only financially harm a very small percentage of those whose data was stolen – at least at first. If a Target customer neglects to replace a credit card impacted by the breach, he or she risks fraudulent activity on that card for years to come.
Moreover, while credit cards and bank accounts can be changed with relative ease, the same isn't true of Social Security numbers and dates of birth. As such, the vast majority of the 60 million or so Target customers who had their personal information compromised may have to remain vigilant for the rest of their lives.
As you can see, then, being forced into creating a separate subclass for these "zero-recovery" class members is a big deal.
Target and other companies in a similar position may not be nearly as inclined to settle these lawsuits if they need to worry about a subclass whose potential injuries are, for the most part, speculative, and may not be incurred for years. After all, while Target is certainly glad to spend these millions on the settlement to be done with the claims from customers who have suffered actual injury, it is far happier to be done with the not as-of-yet-materialized claims of 99% of class members – which could have been potentially haunting the retail giant for decades.
In fact, the bulk of Target's $10 million settlement was likely justifiable as a means to bar these possible future claims – and the creation of a separate subclass for these individuals will likely translate into a drastically reduced payout for the "non-zero-recovery" class members.
As consumer data breaches – and their resultant lawsuits – continue to plague retailers, the progress of this case is worth monitoring.
-->
