In re Target Corp. Customer Data Security Breach Litigation
64 F. Supp. 3d 1304
D. Minnesota2014Background
- In December 2013 Target disclosed a data breach in which hackers stole credit- and debit-card information for ~110 million customers; multidistrict litigation consolidated consumer and financial-institution suits.
- The Financial Institution Plaintiffs are issuer banks claiming losses from reissuing cards and other costs resulting from the breach.
- Plaintiffs allege: (Count I) negligence for inadequate security and disabling security features; (Count II) violation of Minnesota’s Plastic Card Security Act (PCSA); (Count III) negligence per se based on the PCSA; (Count IV) negligent misrepresentation by omission for failing to disclose security weaknesses.
- Target moved to dismiss for failure to plead duty, breach, causation, reliance, and for alleged inapplicability of the PCSA to out-of-state transactions or to the manner in which data was stolen.
- The court evaluates pleadings under Rule 12(b)(6) and Twombly/Iqbal plausibility standards and applies Minnesota law to negligence issues.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Existence of duty (negligence) | Target’s disabling of security and failures created a foreseeable risk to issuer banks; general negligence duty exists. | No special relationship; if third-party harm, no duty absent special relationship. | Duty plausibly alleged under general negligence principles; negligence claim survives. |
| Breach, causation, damages | Target failed to safeguard data and disabled protections, causing plaintiffs’ losses. | Plaintiffs insufficiently pled breach/causation. | Breach plausibly alleged; Target did not separately challenge causation/damages; negligence stands. |
| Negligent misrepresentation by omission (duty & pleading) | Target had superior knowledge of security weaknesses; public statements were misleading; omissions identified. | No duty to disclose; Rule 9(b) not satisfied; omissions about future intent not actionable; plaintiffs did not plead reliance. | Duty and 9(b) satisfied as pleaded, but plaintiffs failed to allege reliance—omission claim dismissed without prejudice; 30 days to amend. |
| PCSA scope and causation | PCSA applies to Minnesota businesses (Target) even for out-of-state transactions; servers retained data enabling theft. | PCSA applies only to in-state transactions or only to data stored for future use; hackers stole data at swipe, not from retained files, so no causal link. | PCSA applies to entities conducting business in Minnesota; plaintiffs allege data was retained on Target servers and accessed by hackers—PCSA claim survives; negligence per se survives. |
Key Cases Cited
- Domagala v. Rolland, 805 N.W.2d 14 (Minn. 2011) (duty analysis—foreseeability and special-relationship framework)
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility standard for pleadings)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (limits on conclusory allegations under Twombly standard)
- In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., 834 F. Supp. 2d 566 (S.D. Tex. 2011) (describing card-transaction ecosystem and industry data-security rules)
- Affiliated Ute Citizens v. United States, 406 U.S. 128 (1972) (presumption of reliance in securities-omission claims)