United States: Target Data Breach Cases Progress, But Plaintiffs Face Uphill Battle

As previously discussed here, Target suffered a massive data breach at the end of last year that compromised the information of 70 million or more consumers. Within days of the announcement, class action lawsuits were filed against Target around the country, including in California, Massachusetts, Minnesota, Ohio, and Utah. These class actions fall into three general categories: (1) those brought by consumers whose information was compromised; (2) those brought by financial institutions such as banks and credit unions that service these consumers; and (3) derivative actions brought by Target shareholders.

In April, these cases were consolidated in the United States District Court for the District of Minnesota. As of May 7, the consolidated case consisted of roughly 81 class actions brought by consumers, 28 class actions brought by financial institutions, and 4 shareholder derivative actions. So far, Target has not responded to the complaints, and discovery is stayed until the court enters a case management order.

One significant hurdle for the consumer class actions will be overcoming the threshold requirement of standing. The Supreme Court recently held in Clapper v. Amnesty International USA that standing under Article III requires a showing of actual harm or "certainly impending" injury. Thus, the argument goes, victims of data breaches do not have standing because most class members only allege possible injury that their data might be misused. While the Clapper case involved the NSA wiretapping program, its holding has already been used to successfully dismiss data breach class actions by consumers.

We can expect Target to bring such a motion in short order—its Case Management Statement sets forth the defense with regard to the consumer class actions and states that it "intend[s] to file motions to dismiss."

Given the magnitude of the Target data breach (the largest retail breach in U.S. history) and the consequential number of interested parties, the outcome of Target's eventual motion to dismiss could have far reaching implications.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.