ebook img

In re: Target Corporation Customer Data Security Breach Litigation PDF

16 Pages·2014·0.06 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview In re: Target Corporation Customer Data Security Breach Litigation

CASE 0:14-md-02522-PAM Document 261 Filed 12/02/14 Page 1 of 16 UNITED STATES DISTRICT COURT DISTRICT OF MINNESOTA In re: Target Corporation Customer MDL No. 14-2522 (PAM/JJK) Data Security Breach Litigation, This document relates to: MEMORANDUM AND ORDER Financial Institution Cases. This matter is before the Court on Defendant Target Corporation’s Motion to Dismiss the Consolidated Amended Class Action Complaint (Docket No. 163) in the Financial Institution Cases. For the reasons that follow, the Motion is granted in part and denied in part. BACKGROUND In December 2013, Defendant Target Corporation, a Minnesota-headquartered retailer that is one of the nation’s largest retail chains, announced that over a period of more than three weeks during the busy Christmas holiday shopping season, computer hackers had stolen credit- and debit-card information for approximately 110 million of Target’s customers. Lawsuits soon followed this announcement, and ultimately the Judicial Panel on Multidistrict Litigation consolidated all federal lawsuits into this litigation. The multidistrict litigation consists of two distinct types of claims: those brought by consumers and those brought by financial institutions. The Motion at issue here seeks to dismiss only the Consolidated 1 Amended Class Action Complaint (Docket No. 163) filed in the financial institution cases. 1 The Court will refer to this pleading as the Complaint. CASE 0:14-md-02522-PAM Document 261 Filed 12/02/14 Page 2 of 16 The court in another consumer data breach case has succinctly described the nation’s credit- and debit-card system as follows: Every day, merchants swipe millions of customers’ payment cards. In the seconds that pass between the swipe and approval (or disapproval), the transaction information goes from the point of sale, to an acquirer bank, across the credit-card network, to the issuer bank, and back. Acquirer banks contract with merchants to process their transactions, while issuer banks provide credit to consumers and issue payment cards. The acquirer bank receives the transaction information from the merchant and forwards it over the network to the issuer bank for approval. If the issuer bank approves the transaction, that bank sends money to cover the transaction to the acquirer bank. The acquirer bank then forwards payment to the merchant. In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., 834 F. Supp. 2d 566, 574 (S.D. Tex. 2011) (footnote omitted), rev’d in part sub nom. Lone Star Nat’l Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013). Plaintiffs here are a putative class of issuer banks whose customers’ data was stolen in the Target data breach. Plaintiffs’ Complaint consists of four claims against Target. Count One contends that Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data. Count Two asserts that Target violated Minnesota’s Plastic Security Card Act, and Count Three alleges that this violation constitutes negligence per se. Count Four claims that Target’s failure to inform Plaintiffs of its insufficient security constitutes a negligent misrepresentation by omission. Target now seeks dismissal of all claims, arguing that Plaintiffs have failed to plead sufficient facts to establish any of their claims. 2 CASE 0:14-md-02522-PAM Document 261 Filed 12/02/14 Page 3 of 16 DISCUSSION When evaluating a motion to dismiss under Rule 12(b)(6), the Court assumes the facts in the Complaint to be true and construes all reasonable inferences from those facts in the light most favorable to Plaintiffs. Morton v. Becker, 793 F.2d 185, 187 (8th Cir. 1986). However, the Court need not accept as true wholly conclusory allegations, Hanten v. Sch. Dist. of Riverview Gardens, 183 F.3d 799, 805 (8th Cir. 1999), or legal conclusions that Plaintiffs draws from the facts pled. Westcott v. City of Omaha, 901 F.2d 1486, 1488 (8th Cir. 1990). To survive a motion to dismiss, a complaint must contain “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 545 (2007). Although a complaint need not contain “detailed factual allegations,” it must contain facts with enough specificity “to raise a right to relief above the speculative level.” Id. at 555. “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements,” will not pass muster under Twombly. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 555). In sum, this standard “calls for enough fact[s] to raise a reasonable expectation that discovery will reveal evidence of [the claim].” Twombly, 550 U.S. at 556. A. Negligence The parties agree that, at least for the purposes of this Motion, Minnesota law governs Plaintiffs’ negligence claim. A claim of negligence under Minnesota law requires a plaintiff to allege four elements: duty, breach, causation, and injury. Schmanski v. Church of St. 3 CASE 0:14-md-02522-PAM Document 261 Filed 12/02/14 Page 4 of 16 Casimir of Wells, 67 N.W.2d 644, 646 (Minn. 1954). Target contends that Plaintiffs have failed to sufficiently allege that Target owed them a duty or that Target breached any duty. 1. Duty Minnesota law imposes a duty “to act with reasonable care for the protection of others” in two situations: First, . . . general negligence law imposes a general duty of reasonable care when the defendant’s own conduct creates a foreseeable risk of injury to a foreseeable plaintiff. See 1 J.D. Lee & Barry A. Lindahl, Modern Tort Law: Liability & Litigation § 3.48 (2d ed. 2003). Second, a defendant owes a duty to protect a plaintiff when action by someone other than the defendant creates a foreseeable risk of harm to the plaintiff and the defendant and plaintiff stand in a special relationship. See Bjerke v. Johnson, 742 N.W.2d 660, 665 (Minn. 2007). In other words, although a defendant generally does not have a duty “to warn or protect others from harm caused by a third party’s conduct,” H.B. ex rel. Clark v. Whittemore, 552 N.W.2d 705, 707 (Minn.1996), an exception to this rule exists when the parties are in a special relationship and the harm to the plaintiff is foreseeable. Domagala v. Rolland, 805 N.W.2d 14, 23 (Minn. 2011). The existence of a duty is a question of law. ServiceMaster of St. Cloud v. GAB Bus. Servs., Inc., 544 N.W.2d 302, 307 (Minn. 1996). Target contends that Plaintiffs’ claims must be analyzed as falling under the third- party-harm type of negligence, so that to be liable Target and Plaintiffs must stand in a “special relationship” with one another. Target asks the Court to find as a matter of law that Target had no duty to Plaintiffs because there is no special relationship between Plaintiffs and Target and, in any event, “‘a person has no duty under Minnesota law to protect another from the harmful conduct, including criminal conduct, of a third person.’” (Def.’s Supp. 4 CASE 0:14-md-02522-PAM Document 261 Filed 12/02/14 Page 5 of 16 Mem. (Docket No. 185) at 6 (quoting RKL Landholding, LLC v. James, No. A12-1739, 2013 WL 2149979, at *2 (Minn. Ct. App. May 20, 2013)).) Plaintiffs argue that this case is not a third-party-harm case but rather is a straightforward negligence case: Target’s own conduct, in failing to maintain appropriate data security measures and in turning off some of the features of its security measures, created a foreseeable risk of the harm that occurred, and Plaintiffs were the foreseeable victims of that harm. Plaintiffs also argue that, even if this situation is a third-party-harm situation where a special relationship between Plaintiffs and Target is required, they have pled such a special relationship here. But as Target points out, Minnesota has recognized this “separate and distinct” special relationship doctrine, Domagala, 805 N.W.2d at 23, in a very few, limited situations that are not applicable here. See RKL Landholding, 2013 WL 2149979, at *2 (noting that the “‘special relationship’ exception is a narrow one”). Moreover, the Minnesota Supreme Court has cautioned against extending those situations further. See Whittemore, 552 N.W.2d at 709 (stating that “this court has carefully carved out” the “outer boundaries” of the special relationship exception). At this preliminary stage of the litigation, Plaintiffs have plausibly pled a general negligence case. Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur. Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case: Plaintiffs allege that Target’s “own conduct create[d] a 5 CASE 0:14-md-02522-PAM Document 261 Filed 12/02/14 Page 6 of 16 foreseeable risk of injury to a foreseeable plaintiff.” Domagala, 805 N.W. 2d at 23. Thus, the Court must determine whether Plaintiffs have sufficiently pled that Target owed Plaintiffs a duty of care under general negligence principles. Minnesota courts have considered the following factors when determining whether a defendant owed a duty of care in a general negligence case: (1) the foreseeability of harm to the plaintiff, (2) the connection between the defendant’s conduct and the injury suffered, (3) the moral blame attached to the defendant’s conduct, (4) the policy of preventing future harm, and (5) the burden to the defendant and community of imposing a duty to exercise care with resulting liability for breach. Domagala, 805 N.W.2d at 26. The duty to exercise reasonable care arises from the probability or foreseeability of injury to the plaintiff. Id. “Although in most cases the question of foreseeability is an issue for the jury, the foreseeability of harm can be decided by the court as a matter of law when the issue is clear.” Foss v. Kincaid, 766 N.W.2d 317, 322-23 (Minn. 2009). The Court evaluates Plaintiffs’ allegations regarding these factors in the light most favorable to Plaintiffs, keeping in mind that this Motion tests only the sufficiency of those allegations and not the ultimate success of Plaintiffs’ legal theories. Plaintiffs have plausibly alleged that Target’s actions and inactions—disabling certain security features and failing to heed the warning signs as the hackers’ attack began—caused foreseeable harm to Plaintiffs. Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered. And Plaintiffs’ allegation that Target was solely able and solely responsible to safeguard its and Plaintiffs’ customers’ data is also 6 CASE 0:14-md-02522-PAM Document 261 Filed 12/02/14 Page 7 of 16 plausible. Imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information. See Minn. Stat. § 325E.64. And despite Target’s dire warnings about the burden of imposing such a duty, it is clear that the institutional parties to credit- and debit-card transactions have already voluntarily assumed similar duties toward one another. See, e.g., In re Heartland, 834 F. Supp. 2d at 588 (noting that Visa and MasterCard Card Operating Regulations, which apply between merchants, issuer banks, and acquirer banks, specify procedures for issuer banks to make claims in the event of data breaches). That Plaintiffs have plausibly alleged a duty on Target’s part is bolstered by the existence of Minnesota’s Plastic Card Security Act, discussed in more detail below. While courts are reluctant to recognize duties of care in the absence of legislative imprimatur, the duty to safeguard credit- and debit-card data in Minnesota has received that legislative endorsement. And the legislature specifically acknowledged the availability of other causes of action arising out of a Minnesota company’s failure to safeguard customers’ information, stating that the remedies under the PCSA “are cumulative and do not restrict any other right or remedy otherwise available” to the issuer banks. Minn. Stat. § 325E.64, subd. 3. Plaintiffs have adequately pled that Target owed them a duty of care, and their negligence claim will not be dismissed on this basis. 2. Breach Having determined that Plaintiffs have plausibly alleged the existence of a duty, there can be no doubt that Plaintiffs have also plausibly alleged that Target breached that duty by 7 CASE 0:14-md-02522-PAM Document 261 Filed 12/02/14 Page 8 of 16 failing to safeguard Plaintiffs’ customers’ information. Because Target does not challenge Plaintiffs’ allegations with respect to the elements of causation and damages, Plaintiffs’ negligence claim succeeds in stating a claim on which relief can be granted. B. Negligent Omission Plaintiffs’ negligent-misrepresentation-by-omission claim alleges that Target “failed to disclose material weaknesses in its data security systems and procedures” that it had an obligation to disclose. (Compl. ¶ 131.) According to Target, this claim fails for multiple reasons: Target had no duty to disclose anything to Plaintiffs; Plaintiffs have failed to plead this claim with the particularity Rule 9(b) requires; a negligent misrepresentation claim does not lie with respect to statements about Target’s intent; and Plaintiffs have failed to allege reliance, which is an essential element of a negligent-misrepresentation-by-omission claim. 1. Duty “As a general rule, one party to a transaction has no duty to disclose material facts to the other.” Smith v. Questar Capital Corp., Civ. No. 12-2669, 2014 WL 2560607, at *14 (D. Minn. June 6, 2014) (Nelson, J.). This rule applies “unless (1) there existed a fiduciary or confidential relationship between the parties; (2) one party was in possession of special facts that could not have been discovered by the other; or (3) one party who chooses to speak omits information so as to make the information actually disclosed misleading.” Id. (citing Sailors v. N. States Power Co., No. 4:02-253, 1992 WL 532172, at *9 (D. Minn. July 13, 1992) (MacLaughlin, J.); Klein v. First Edina Nat’l Bank, 196 N.W.2d 619, 622 (Minn. 1972)). 8 CASE 0:14-md-02522-PAM Document 261 Filed 12/02/14 Page 9 of 16 Plaintiffs have not alleged that there is a fiduciary or confidential relationship between Target and Plaintiffs. Rather, Plaintiffs contend that Target knew facts about its ability to repel hackers that Plaintiffs could not have known, and that Target’s public representations regarding its data security practices were misleading. Target takes issue with Plaintiffs’ allegations in this regard, but on a Motion to Dismiss, the Court must determine only whether the allegations are plausible. The allegations meet that plausibility standard, and Plaintiffs have adequately pled a duty of care. 2. Rule 9(b) Target also argues that Plaintiffs’ negligent omission claim should be dismissed for failure to comply with the stricter pleading requirements of Rule 9(b). The Rule requires that, “[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake.” Fed. R. Civ. P. 9(b). These heightened pleading requirements apply to negligent-misrepresentation-by-omission claims. Trooien v. Mansour, 608 F.3d 1020, 1028 (8th Cir. 2010). In the context of a claim of negligent omission, the Rule is satisfied “if the omitted information is identified and ‘how or when’ the concealment occurred.” In re Bisphenol-A (BPA) Polycarbonate Plastic Prods. Liab. Litig., 687 F. Supp. 2d 897, 907 (W.D. Mo. 2009) (citing Great Plains Trust Co. v. Union Pac. R. Co., 492 F.3d 986, 996 (8th Cir. 2007)). Plaintiffs have identified the omitted information, namely Target’s failure to disclose that its data security systems were deficient and in particular that Target had purposely disengaged one feature of those systems that would have detected and potentially stopped 9 CASE 0:14-md-02522-PAM Document 261 Filed 12/02/14 Page 10 of 16 the hackers at the inception of the hacking scheme. Plaintiffs contend that these omissions were made in representations such as Target’s online Privacy Policy and in Target’s agreement to comply with Visa and MasterCard’s Card Operating Regulations and other security requirements. Although these allegations are not as detailed as Target would like, at this early stage of the litigation they are sufficient to allege the “how or when” the information regarding Target’s data security practices was omitted from disclosure. Plaintiffs have complied with 9(b). 3. Omissions Target argues that Plaintiffs’ claim is not cognizable because it is founded on alleged omissions regarding what Target intended to do with respect to data security. Target contends that an omission regarding Target’s “present intention to act in the future” is not actionable because it cannot be proved false. (Def.’s Supp. Mem. (Docket No. 185) at 23.) But Target misconstrues Plaintiffs’ claim. Plaintiffs’ negligent-omission claim is not premised on any statement about Target’s future intentions or even on Target’s statements about the data breach itself, but rather on the fact that Target held itself out as having secure data systems when Target knew that it did not have secure systems and had taken affirmative steps to make its systems more vulnerable to attack. At this stage of the case, this allegation is sufficient to state a claim for negligent omission. 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.