Target Ends Dispute With Mastercard Over 2013 Data Breach

Following the highly publicized data breach affecting Target retail stores in 2013, the retail giant has agreed to pay up to $19 million to MasterCard credit card issuers worldwide to compensate them for the costs of canceling accounts, creating new accounts, and issuing new cards. MasterCard is urging card issuers to accept the deal, which calls for Target to pay the card issuers by the end of the second quarter.

In late 2013, Target suffered a massive data breach in which 110 million customer records were stolen, which included 40 million credit card numbers. In an attempt to be proactive, Target informed financial institutions about credit cards that may have been compromised and offered free credit counseling to its consumers to combat the onslaught of litigation that was to follow. As a result of the breach, which was highly publicized, many other retail establishments became victims of their own data breaches, spurring numerous lawsuits nationwide.

Apart from individual consumers filing class action lawsuits across the country against Target, credit card issuers, which include banks, credit card companies, and other financial firms, incurred hard costs of cancelling accounts and issuing replacement cards with new account numbers. While individual consumers filing data breach lawsuits had to overcome Clapper in arguing that an injury-in-fact did occur instead of speculative damages, credit-card issuers and financial institutions had actual damages to move forward on their claims. As a result, Target has negotiated a deal only with MasterCard to this point.  It is possible that Target is also negotiating a similar agreement with Visa.

Image courtesy of Flickr by Mike Mozart

With Data Breach Class Actions on the Rise, Clapper Provides a Viable Defense

With recent data breaches at Home Depot, Target, Jimmy John’s, eBay, Neiman Marcus, P.F. Chang’s, Goodwill Industries, CNET, and others, there has been a resultant explosion of cybersecurity litigation.  Despite the rise in this area of litigation, data breach lawsuits still have to overcome a major hurdle – the standing requirement enunciated in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013).

In Illinois, a number of such lawsuits were filed in the wake of Advocate Medical Group’s revelation that four laptops were stolen from its offices, containing the unencrypted personal health information of more than 4 million patients.  In one such putative class action, Vides v. Advocate Health and Hospitals Corp., the state court followed the rationale of Clapper in rejecting the plaintiffs’ argument that an increased risk of identity theft is sufficient in and of itself to satisfy the “injury-in-fact” requirement necessary to establish standing.

In Vides, the plaintiffs’ theories of liability included common law negligence, violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, violation of the Illinois Personal Information Protection Act, public disclosure of private facts, and intentional infliction of emotional distress.  The court found that none, including the purported statutory violations, were adequate to confer plaintiffs standing, and that the damages asserted were too speculative to establish an injury in fact.  In coming to that conclusion, Judge Mitchell Hoffman reasoned that there are a number of variables that would have to be answered in the affirmative to establish an injury in fact, such as whether a person’s data was actually taken, whether that data was sold or transferred, whether anyone attempted to use the person’s data, and whether they succeeded in using it.  Because the plaintiffs could not allege that a threatened injury was certain as a result of the breach, the suit was dismissed in its entirety.

In coming to this ruling, the court noted that courts across the country had rejected the argument that risk of harm could equate to an injury in fact sufficient to satisfy Article III of the U.S. Constitution.  In its survey of law on data breach class actions across the country, the court also distinguished Seventh U.S. Circuit Court of Appeals decisions holding that the mere increased risk of identity theft was sufficient to confer standing, since these decisions predated Clapper.  Therefore, Clapper remains a tenuous obstacle for data breach lawsuits to overcome.

While the Clapper decision provides an excellent defense to data breach lawsuits, cybersecurity litigation remains on the rise.  As such, companies should continue to be proactive in assessing their internal systems and procedures to prevent any data breaches from occurring.

Image courtesy of Flickr by Mike Mozart