On September 15, 2015, Justice Paul A. Magnuson of the United
States District Court, District of Minnesota granted class
certification to banks that issued payment cards in the payment
card data breach that was publicly disclosed by Target on December
The Judicial Panel on Multidistrict Litigation consolidated
lawsuits regarding the breach in the Minnesota court. The case then
separated into two "tracks" — one for
consumers and one for financial institutions. While the consumer
action was settled, the action by the financial institutions
Those institutions had issued debit and credit cards to
consumers who, in turn, had used those cards at Target during the
period of the breach. Following the breach, the banks reissued the
cards, at their cost, which they sought to recover from Target.
The financial institutions alleged that Target was negligent in
failing to provide sufficient security to prevent the hackers from
accessing customer data. They also alleged that Target violated
Minnesota's Plastic Security Card Act.
Target's focus in defending the certification motion was
that there was no question of law or fact common to the class which
predominated over questions affecting the individual members, and
that the class action was not superior to other available methods
in the adjudication of the allegations.
Specifically, Target argued that because the banks were
themselves domiciled in different states, different laws of
negligence would apply, such that any question of law was not in
fact common. The Court rejected that argument, holding that the law
of the State of Minnesota would apply to all.
Target also argued that the banks' decision to reissue the
cards was a business decision, for which it should not be liable in
law. As the Court noted, the absurdity of that position was made
evident from the fact that Target reissued its own debit cards in
weeks after the breach.
Plaintiffs alleged that Target had also violated Minnesota's
Plastic Card Security Act, which governed the kind and
quality of customer data that retailers could retain, and which
required that those who breached the legislation reimburse
"reasonable" costs. Target argued that whether each
bank's actions were "reasonable" within the meaning
of the statute had to be judged on a bank by bank basis, and that
hence there was no common factual question.
The Court disagreed. It noted that whether particular
actions — reissuance, blocking accounts, reimbursing
fraudulent charges, paying for customers fraud
monitoring — were reasonable actions in the face of the
data breach, could be determined on a class-wide basis, and need
not be determined with respect to each financial institution.
On the issue of damages, Target had argued that there were
contributory fault defences that were unique to each bank, such
that damages were not common. The Court saw this for what it
was — a classic argument of contributory negligence or
failure to mitigate damages, neither of which related to the
underlying liability for the data breach.
On the related issue whether reissuance costs and fraud losses
were determinable on a classwide basis, the Court noted that even
if these damages could not be calculated on a classwide basis,
class certification was still appropriate if the other factors for
certification were met and there was no risk that individual
damages outweighed the classwide issues.
In Irwin v. Alberta Veterinary Medical Association, 2015 ABCA 396, the Alberta Court of Appeal found that the "ABVMA" failed to afford procedural fairness to a veterinarian undergoing an incapacity assessment.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).