By: Jon Macklem & Paul Zimmerman
Christian & Small LLP
Birmingham, Alabama
If 2014 was the year of the data breach, then the Target Corporation data breach – which impacted approximately 110 million customers – serves as the high water mark in a year full of cyber attacks on some of the world’s largest companies. In part because of its sheer size, the resulting consumer litigation has garnered a significant amount of attention from both the media and the legal community.
During 2013-2014, a noticeable trend was seen in many federal courts deciding major consumer data breach cases. As these cases multiplied, many courts required that plaintiff consumers demonstrate they have suffered actual economic harm as a result of the data breach in order meet the “injured in fact” standing requirement under Article III of the U.S. Constitution. An overwhelming majority of the courts across the country have determined that the mere increased threat of identity theft in the future does not constitute an injury and generally dismissed those claims. However, a number of courts in recent decisions, including some of the judges within the Northern District of Illinois, have moved the standing pendulum even further by determining that consumers must demonstrate that they have suffered some unreimbursed or actual out-of-pocket expense as a result of the data breach in order to show sufficient standing to pursue their lawsuits.
As a result of this standing requirement, which at least one court has recognized as “difficult” for consumers to meet, a number of consumer data breach lawsuits have been dismissed at the initial Rule 12(b) stage when the plaintiffs failed to allege concrete economic damages. However, in contrast to these recent decisions, the Target opinion indicates that the pendulum may have swung, even if ever so slightly, away from the defendants and toward protecting consumers who may not have experienced any actual economic harm.
A number of class actions were filed by Target customers whose credit card information was compromised as a result of the data breach. The Judicial Panel on Multi-District Litigation consolidated a multitude of consumer class actions from across the country to the U.S. District Court of Minnesota for pre-trial proceedings. Upon consolidation, Target moved to dismiss those consumer claims for a number of reasons. The judge presiding over those cases, the Honorable Paul Magnuson, granted and denied various portions of Target’s motion to dismiss. In its 46-page opinion issued on Dec. 18, 2014, the court made a number of key rulings that will certainly be cited in consumer data breach cases pending in other courts across the country.
The December opinion in the Target case appears to go against the trend of requiring consumers to allege and prove that they have suffered out-of-pocket expenses as a result of a data breach. In its opinion, the court specifically found that the plaintiffs have alleged sufficient injuries by claiming unlawful charges, blocked access to bank accounts, delayed access to accounts, as well as other damages. The court appears to reject Target’s argument that these forms of damages are insufficient because the plaintiffs have not unequivocally or clearly stated that they have indeed suffered an unreimbursed expense, which other courts have required.
Without much analysis as to what other courts have previously required in terms of standing, the court in the Target case concludes that at the 12(b) stage the consumers have stated sufficient damages and therefore have standing to assert their claims. The court also appears to have decided that these issues of standing require discovery and further consideration after class certification issues have been decided. Given that the trend in recent cases has been toward settlement following preliminary motion to dismiss proceedings, the impact of delaying consideration of the standing issue on the expense of defending or disposing of the case is clear.
The opinion on Target’s motion to dismiss also raises a number of other interesting points that will inevitably be cited by plaintiffs in other pending and future data breach cases. First, the court determined at the 12(b)(6) stage that the plaintiffs have plausibly alleged an implied contract between the consumers and Target. The court reasoned that when Target issued credit cards it was plausible that the company implicitly agreed with consumers to take reasonable efforts to secure their data. While an argument could be made that credit card information and the protection of that data is implicit within a credit card contract, other courts dealing with data breaches not involving credit cards have determined that no implied contract to protect information exists when the basic essence of the contract deals with something other than data security – that is, when data security is incidental to the transaction rather than its primary purpose.
By allowing an implied contractual claim based upon an inferred obligation to take reasonable efforts to protect data, the court essentially makes a single contract into a multitude of different divisible contracts based on implied obligations to each consumer. This could potentially create a dangerous precedent to be used in other contexts where a contractual obligation is generated from a perceived harm. It is the perceived harm itself that retroactively creates an implied contract claim. This can be especially problematic when the implied obligation was not contemplated by the parties involved in the contractual relationship. Allowing an eventual perceived harm to retroactively create an implied contractual obligation can put the cart before the horse in terms of a contract claim.
Second, the court determined that the plaintiffs have alleged sufficient facts to allow an unjust enrichment claim to proceed toward class certification and potentially allow class-wide discovery on the merits of the claims. The court opined that the consumers stated a plausible unjust enrichment claim based on the theory that if the consumers had known that Target was allegedly not taking reasonable steps to protect their data, then they would have never shopped at Target. While at first blush this theory seems reasonable, an unjust enrichment claim based on this theory of detrimental reliance still begs the question as to the basis of consumers’ damages for this claim.
For example, assume that a customer bought laundry detergent at Target. The claim asserted in the lawsuit is that this customer would not have done this had he/she known that Target was not protecting his credit card information. Using the contractual damage principle of putting the plaintiff in the same position had there been no breach, it is difficult to discern the appropriate form of damages in this hypothetical situation. In the hypothetical, the consumer still received the laundry detergent. Ordinarily, the damages would be the difference in the value of the goods purchased versus the value of the same goods purchased elsewhere. Under this theory, the plaintiffs would have to say that they would have been forced to pay more for laundry detergent at another store because they did not want to shop at Target due to the store’s alleged failure to protect credit card information. Of course, this does not make sense because they did not go to another store.
Along the lines of turning a single contractual relationship into a series of divisible contracts, consumers will likely assert that they are entitled to a refund of some fractional cost of the product (e.g., the laundry detergent) that should have been spent on data security. Plaintiffs’ attorneys will argue that they have the right to now sift through a company’s overhead and then claim what more should have been spent on data protection. This precedent also presents a slippery slope, and courts should be reluctant to allow claims based on a refund of some “diminished value” to the product, when the alleged deficiency is not based on the product’s/service’s main purpose.
In closing, the opinion on the motion to dismiss in the Target consumer data breach litigation serves as a well-publicized and interesting guidepost that other courts will be asked to consider in addressing issues concerning data breach class actions at the 12(b) stage. Though some skepticism of the claims might be read between the lines of the opinion, the court in the Target case postponed consideration of most of Target’s arguments until the summary judgment stage, which typically occurs after discovery. Delaying decisions on legal issues, such as standing, will make litigation more costly, and a solid argument can be made that judicial economy is best served by forcing consumers to “show their cards” in the complaint in order for standing issues to be addressed as early as possible.
While attorneys representing the consumers will certainly cite the Target decision in arguing that the standing issues should not be addressed at early stages of litigation, the opinion does not concretely address what types of damages will get past the requirement of standing under Rule 12(b)(1) and Article III of the Constitution, whether addressed on a motion to dismiss or at summary judgment. In fact, the constitutional requirements of standing are hardly addressed in the opinion. Many of the court’s holdings may be construed by some as allowing standing for plaintiffs who have not suffered an out-of-pocket expense. However, because of the court’s brief analysis as to the standing questions, the opinion should not necessarily be read as swinging the pendulum back in favor of consumers. It is important to note that the judge specifically stated that the plaintiffs had alleged some unreimbursed charges as well as other consequential damages that would have a direct financial impact on some of the named plaintiffs in this case. Again, the court did not so much agree with, or even accept, the plaintiffs’ theories as it found the arguments put forth by Target as premature.
It will be interesting to see how other courts rely on the Target opinion. It will also be interesting to see if Target follows the precedents of other large retailers that have settled data breach cases after the 12(b) initial motions have been decided, but prior to a substantive analysis and consideration by the court as to class certification. Maybe the pendulum has not swung the other way, but only paused.
For more information about Christian & Small LLP, please visit the International Society of Primerus Law Firms.