The fallout from the late 2013 data security breach involving the Target Corporation is not over yet. After Target announced that financial information of more than 40 million consumers could be at risk, a flurry of lawsuits were filed by consumers and financial institutions. The consumer suits settled. The financial institution suits live on (for now) in In re Target Corp. Customer Data Security Breach Litigation, No. 14-2522 (D. Minn. Sept. 15, 2015), where a class of financial institutions who issued credit cards to Target consumers alleged that they were injured by Target’s failure to prevent hackers from accessing customer data in the form of replacing cards and reimbursing fraud losses.
Plaintiffs sought Rule 23(b)(3) class certification. Target opposed, arguing that the injuries are “risk of future harm” that financial information might in the future be used, so cannot be established with classwide proof. The court noted that the banks already reissued cards and that some have already incurred losses from payments. Target countered that there was no requirement that the plaintiffs reissue cards, so the voluntary act cannot be used by the plaintiffs to establish their own injuries. The court rejected the argument, holding that “[w]hether a specific action was legally mandated is not required to establish injury or causation.” The court commented that the “absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards . . . in the weeks after the breach.”