On December 2, 2014, the US District Court for Minnesota issued its Memorandum and Order in the “Financial Institution Cases” against Target which granted in part and denied in part Target’s Motion to Dismiss.
Target’s motion sought dismissal of a class action complaint filed by a number of banks related to the December 2013 attack by hackers resulting in the massive breach of customers’ credit/debit card information. The banks’ class action seeks damages related to the costs incurred when the banks issued new cards and reimbursed fraudulent charges incurred by customers.
Target’s motion sought to dismiss all claims brought by the banks, including claims for negligence, a violation of Minnesota’s Plastic Security Card Act, negligence per se, and negligent misrepresentation by omission. The court’s order allows the banks’ class action to move forward.
The December 2, 2014 decision provides significant analysis of the issues concerning data breach cases and undoubtedly will be discussed over the next few months as other courts are set to rule in data breach cases across the country. In particular, the court found the banks were able to survive Target’s Motion to Dismiss on the following grounds:
While the court found these three causes of action survived Target’s motion, the court granted Target’s Motion seeking dismissal of the negligent misrepresentation by omission claim. The banks alleged that Target was liable for failing to disclose “material weaknesses” in its data security systems. First, the court held the banks’ complaint adequately pled a duty of care with allegations “that Target’s public representations regarding its data security practices were misleading.” However, the court granted Target’s motion on this count because the banks’ “complaint contains no indication that [the banks] relied on any of the alleged omissions.”
Throughout the order, the court held Target owed a duty of care to its customers. Specifically, in finding the banks plausibly alleged that Target owed a duty of care, the court reasoned that imposing such a duty “will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.”
The court further found that “although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur” by disabling security features and failing to heed warning signs. The court’s reasoning may be the first step toward determining what constitutes a breach of the duty of care in data breach claims.
This decision provides key insight into how courts may be expected to analyze these newly emerging issues. While this decision is not a definitive ruling as to the issues in this case, the court’s finding that Target could owe a duty to the banks to protect their customers’ information is significant not only to this case, but to other data breach cases pending across the country.
Of course, we will continue to provide updates on all developments in this case.