Target’s 2013 data breach has generated over 100 consumer lawsuits, which were consolidated last year before the U.S. District Court for the District of Minnesota. On December 18, 2014, Judge Paul A. Magnuson issued a decision on Target’s motion to dismiss the consolidated consumer cases.  The court liberally construed the pleadings, letting most of the complaint survive. This comes on the heels of the decision earlier in December allowing the banks to proceed in their complaint against Target seeking reimbursement for the $400 million they claim they spent reissuing credit and debit cards. (Cases brought by banks and derivative shareholder actions have also been consolidated before Judge Magnuson.)

Consumer data breach plaintiffs frequently stumble on the issue of harm, with courts finding that they either lack standing or have failed to plead sufficient injuries to satisfy pleading requirements. Here, however, the court accepted plaintiffs’ pled injuries for both the standing analysis and for the claims that required a showing of harm.  The decision summarizes 90 paragraphs of the complaint as allegations that plaintiffs had suffered "unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees."

Target had argued that no one alleged they had not been reimbursed for their alleged injuries, but the court called that “too high a bar,” rejecting Target’s standing arguments in less than a page. The court did not mention the U.S. Supreme Court’s decision in Clapper v. Amnesty Int'l, 133 S. Ct. 1138, 568 U.S. __, 185 L. Ed. 2d 264 (2013), which has been cited by several other courts recently in finding that consumer data breach plaintiffs lacked standing.

Once the court found plaintiffs’ injuries sufficient to establish standing, it also rejected Target’s arguments that plaintiffs did not plead harm flowing from the alleged negligence and statutory violations (although the court indicated it may be appropriate for Target to renew its arguments at the summary judgment stage). The plaintiffs have thus cleared a common hurdle for data breach plaintiffs, and done so more cleanly than plaintiffs in Sony II, previously the biggest consumer case to survive a post-Clapper standing analysis. While the Sony II plaintiffs were found to have standing, most of their claims were dismissed on the merits because their alleged injuries were insufficient to satisfy the elements of their claims. See In re Sony Gaming Networks & Customer Data Breach Litig., 996 F. Supp. 2d 942, 1013 (S.D. Cal. 2014).

Other points of interest in the decision:

• • Target also challenged plaintiffs’ standing to bring state data breach law claims in the five states where none of the 114 named plaintiffs reside. The court refused to dismiss these claims, agreeing with split authority that determination should be made only after class certification.  The court stated that there were “undoubtedly” residents of all states affected by the breach, and thus “forc[ing] Plaintiffs’ attorneys to search out those individuals at this state serves no useful purpose.”  The court noted that Target could renew its arguments if a class were to be certified that did not contain residents of all relevant states. 

• • Plaintiffs alleged that Target failed to comply with state data breach notification statutes, and if customers had been notified earlier of the breach, they would not have shopped at Target. They did not allege any other damages from delayed notice.  The court let these claims survive (again inviting Target to renew its arguments at the summary judgment stage), crediting the possibility that Target should have notified the public about the breach within days of when it began.    
  • Several state negligence claims were dismissed based on the economic loss doctrine (which requires a plaintiff to allege that he or she suffered an economic loss in order to maintain a cause of action) but the court let claims survive where there was any doubt as to whether the doctrine applied.
  • The court rejected plaintiffs' theory that they overpaid for goods at Target because they were paying for additional security they did not get, pointing out that Target charges the same price for goods whether paid for in cash or credit.

In the end, only a handful of state claims were dismissed on state-specific grounds, such as the economic loss rule, mentioned above, or the use of class actions under consumer protection statutes. Most of the consumer protection and negligence claims, and over half of the data breach notice claims, survived—many of which seek monetary damages.  Although the court signaled that it might be receptive to Target’s arguments on a motion for summary judgment later in the case, that option would likely arise only after potentially expensive and damaging discovery, class certification, and other procedural hurdles.  The case is thus likely to provide a roadmap for consumer class action lawyers seeking to guide their data breach claims successfully past a motion to dismiss.

© 2015 Perkins Coie LLP