Before September 15, 2015, no federal court had certified a class action to litigate security breach claims. But now U.S. District Court Judge Paul A. Magnuson, overseeing the In re: Target Corporation Customer MDL, has certified as a class:

All entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.

This certified class representatives will litigate three claims on behalf of all such issuers: that Target was negligent in failing to provide sufficiently secure customer data; that Target violated Minnesota’s Plastic Security Card Act (“PCSA”); and that this violation of Minnesota law constituted negligence per se.

In opposing class certification, Target had maintained that no classwide proof of injury existed, especially given variations in state laws. Target also contended that damages would have to be calculated on a bank-by-bank basis, making class adjudication untenable. The court considered and rejected both of these arguments in turn.

The court deemed Target’s choice-of-law objection baseless. “Minnesota’s contacts with this action are legion: Target is headquartered in Minnesota; its computer servers are located in Minnesota; the decisions regarding what steps to take or not take to thwart malware were made in large part in Minnesota.” Hence, Minnesota law applies.

As to classwide proof of injury due to negligence, the court credited an American Bankers Association survey that banks reissued “nearly every card” that was subject to an alert after the Target breach.  Target claimed such reissuance was voluntary and Target should not have to pay. The court rebuffed this suggestion: “The absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards, both debit and credit, in the weeks after the breach.”

As to classwide recovery for violation of the PCSA (including as negligence per se), the court found that both the alleged violation (for unauthorized retention of data) and the alleged injury could be determined on a classwide basis. “Whether particular actions—reissuance, blocking accounts, reimbursing fraudulent charges, paying for customers’ fraud monitoring—are reasonable actions in the face of a data breach can be determined class-wide and need not be examined with respect to each financial institution individually.”

The court relied on an expert report which proposed a method to calculate reissuance and fraud losses on a classwide basis. “Should classwide damages ultimately prove unworkable, a damages class can be decertified and damages questions stayed for determination after the liability phase concludes.” Finally, the court directed that notice be sent to the financial institution class members, who will be told the nature of the action and have the opportunity to exclude themselves from class adjudication.