However, a new type of plaintiff may be changing the data breach class action landscape. In the past year, multiple national retailers announced that criminals absconded with tens of millions of customers’ payment card credentials. In the wake of the two largest breaches—Target in late 2013 and Home Depot this year—financial institutions filed putative class actions against the retailers, bringing a host of common-law and statutory claims. The increasing number of cases being brought—and the legal issues only now coming before the courts—suggest that we are approaching a new stage in data breach class action jurisprudence, generally: one that may delineate new areas of liability, clarify standards of care in a still developing legal and technological landscape, and create an incentive for new protections for the critically sensitive financial data.
Historical Limitations of Data Breach Class Actions
A recurring refrain in data breach litigation is the proposition that while the data breach may in fact increase an individual’s risk of harm in the future, this does not provide a sufficient quantum of injury to move a case past the pleadings stage. See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (allegations of hypothetical, future injury do not establish standing under Article III, where plaintiffs could not allege misuse or that identifiable taking of information had occurred). Courts have held, arguably without exception, that the risks associated with the compromise of personal or financial data—with no further injury alleged—are too attenuated to confer standing or successfully plead a cognizable legal injury sufficient to uphold a negligence claim. Low v. LinkedIn, No. 11-cv-01468, 2011 WL 5509848, at *5–6, *14–15 (N.D. Cal. Nov. 11, 2011) (plaintiff lacked standing despite allegations of emotional and economic harm arising from an alleged disclosure of personal information resulting from a data breach). While this is not a death knell for consumer plaintiffs’ cases, successful litigations require something more than a negligence claim and a theory of injury predicated on the breach alone; an immediate and concrete injury must be pled.
Hammond v. Bank of New York Mellon Corp., No. 08-Civ-6060, 2010 U.S. Dist. LEXIS 71996 (S.D.N.Y. June 25, 2010), is a good example. Here, the defendant lost several boxes of unencrypted computer backup tapes en route from Philadelphia to Pittsburgh, containing names, addresses, Social Security numbers, bank account information, financial data, debit and credit card numbers, and checking account numbers. The plaintiffs did not plead a financial loss stemming from the breach in the ensuing litigation (two experienced fraudulent charges for which they were ultimately reimbursed by their financial institutions). The court therefore concluded that the plaintiffs “lack[ed] standing because their claims are future-oriented, hypothetical, and conjectural. There is no ‘case or controversy.’”
In recent years, a growing number of courts have been willing to hold that the increased exposure to identity theft resulting from a data breach is sufficient injury to confer standing but not for a negligence claim. Compare Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (credible threat of real and immediate harm stemming from the theft of a laptop containing unencrypted personal data sufficient to confer Article III standing), with Krottner v. Starbucks Corp., 406 F. App’x 129, 131 (9th Cir. 2010) (while harm stemming from theft of laptop was sufficient to confer standing, it was insufficient to prove element of injury in negligence cause of action). But even this approach was called into question by Clapper, which held that plaintiff human rights and media organizations lacked standing to assert a constitutional challenge to the Foreign Intelligence Surveillance Act (FISA) and the FISA Amendments Act of 2008. The Court held that “respondents’ theory of future injury is too speculative to satisfy the well-established requirement that threatened injury must be ‘certainly impending.’” Clapper, 133 S. Ct. at 1147. Many district courts subsequently applied the holding in Clapper to the data breach context and dismissed on standing grounds. E.g., In re Barnes & Noble Pin Pad Litig., 2013 U.S. Dist. LEXIS 125730 (N.D. Ill. Sept. 3, 2013).
Against this backdrop, skeptics maintained that data breach litigation was largely stalling out, as the most obvious and universal articulation of injury—a plaintiff’s sensitive information falling into the hands of a cyber criminal—was almost uniformly deemed too speculative by the courts to survive demurrer. For a case to proceed past the pleadings stage, it would seem, the issues would have to be recast in a consumer fraud context or a named plaintiff would have to demonstrate affirmative acts of identity theft or other, comparable fraud. See, e.g., Resnick v. AvMed, Inc., 693 F.3d 1317, 1327–28 (11th Cir. 2012) (plaintiffs satisfied pleading standards for negligence claim where they alleged that information compromised in data breach was subsequently used to open unauthorized accounts by third parties). This shift in litigation strategy arguably shifts the legal inquiry from whether a duty of care ought to be imposed on parties harboring data to one of representations made in the course of business to whether the plaintiffs demonstrated injury to proceed on a negligence theory.
The Rise of the Financial Institution Plaintiff
Recently, however, financial institutions have entered the fray, demonstrating an appetite for class litigation following a dramatic uptick in retailers experiencing data breaches, along with a dramatic increase in the number of accounts compromised in a given breach. Here, the injury is undeniably concrete—financial institution plaintiffs must bear costs associated with monitoring for and reimbursing charges arising from fraud, reissuing compromised cards, alerting affected customers, and incurring lost transaction costs from reduced consumer confidence, among others. Those costs can be significant. Where a national retailer experiences a “mega breach”—defined by technology security company Symantec as an individual data breach resulting in at least 10 million records being exposed—tens of millions of debit and credit cards can be compromised, if not more. After Target’s data breach of late 2013, up to 110 million customers’ personal and financial data were stolen. Data from the Consumer Bankers Association and the Credit Union National Association, published in February 2014, estimated directs costs from the Target breach—for replacing payment cards—at roughly $200 million. Saabira Chaudhuri, “Cost of Replacing Credit Cards after Target Breach Estimated at $200 Million,” Wall St. J. (Feb. 18, 2014). Similarly, on September 8, 2014, Home Depot announced a data breach affecting 56 million payment card credentials. A preliminary estimate places losses stemming from this breach at $2–3 billion (including anticipated losses from fraud for merchants). “Home Depot Data Breach Likely to Strike 60 Million and Cause over $2 Billion in Fraud,” BillGuard (Sep. 10, 2014).
Following Target’s breach, 29 financial institutions filed class actions against the retailer, which cases were ultimately consolidated into a multidistrict litigation (MDL) in Minneapolis. With regard to Home Depot, as of the writing of this article, 10 financial institutions—including litigants from the Target MDL—have brought suit. In addition to Target and Home Depot, at least one other data breach has resulted in filings brought on behalf of financial institutions in 2013–2014: Winsouth Credit Union v. MAPCO Express, Inc., No. 3:14-cv-01573 (M.D. Tenn. filed July 31, 2014), and First National Community Bank v. MAPCO Express, Inc., No. 4:14-cv-00031 (N.D. Ga. filed Feb. 19, 2014).
Beyond alleging common-law claims such as negligence and negligent misrepresentation, financial institution plaintiffs have brought statutory claims under various states’ payment card statutes, as well as negligence per se claims predicated on violations of those statutes. Enacted in the wake of earlier data breaches, these payment card statutes typically provide a cause of action for financial institutions against merchants who did not exercise reasonable care in the handling of card data. At present, three states have enacted laws explicitly dealing with merchant liability in the wake of data breaches: Minnesota (Minn. Stat. § 325E.64), Nevada (Nev. Rev. Stat. Ann. § 603A.215), and Washington (Wash. Rev. Code § 19.255.020). Broadly, and to a greater or lesser degree depending on the specific state’s statute, a merchant violates these statutes by failing to comply with an industry-promulgated series of standards called the Payment Card Industry Data Security Standards (the PCI Standards) or by failing to encrypt the payment card data in the course of the consumer transaction.
There are currently too few data points to determine whether these types of lawsuits represent a trend. Beyond the spate of lawsuits in 2013–2014, the author is aware of only three other class-based litigations: In re Heartland Payment Systems, Inc. Data Security Breach Litigation, MDL No. 09-02046 (LHR) (S.D. Tex.); In re TJX Companies Retail Security Breach Litigation, No. 1:07-cv-10162-WGY (D. Mass); Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162 (3d Cir. 2008).
Despite the scarcity of data in the financial plaintiff class litigation space, these cases have moved courts’ legal inquiry further down the spectrum, away from standing and injury and into new realms such as duty and breach of standard of care. See e.g., Defendant’s Memorandum of Law in Support of Motion to Dismiss the Consolidated Class Action Complaint at 5–16, In re Target Corp. Customer Data Security Breach Litig., MDL No. 15-522 (PAM/JJK) (D. Minn.), ECF No. 185; Financial Institution Plaintiffs’ Memorandum of Law in Opposition to Defendant Target Corporation’s Motion to Dismiss the Consolidated Class Action Complaint at 18–35, In re Target Corp., MDL No. 15-522 (PAM/JJK) (D. Minn.), ECF No. 204. This type of litigation comes at a time when two very powerful industries—financial institutions and retailers—are pitted against each other in terms of who bears responsibility for costs arising from cyber crime, and it also comes at a time when cyber crime is becoming larger in its scope and bolder in its execution month by month. As mentioned above, industry has been forced to coin a new term—“mega breach”—to identify the newer, more massive-in-scale types of data breaches that are becoming increasingly common (evidenced, inter alia, by the need to coin the term itself). As the threat metastasizes, our civil legal framework must become more developed. The recent spate of financial institution data breach plaintiffs, at a minimum, allows for pressing legal issues to be litigated: Plaintiffs, defendants, and, most important, the courts recognize that injuries exist in these lawsuits; now the issue is determining what duty is owed by retailers to financial institutions with regard to preventing criminal incursion across payment networks, as well as outlining the boundaries of the various state statutes imposing liability for inadequate network security.
Keywords: litigation, class actions, financial institutions, data breach, Target, Home Depot