The recent massive data breach into Target’s payment systems compromising millions of payment card numbers is now on the list of the most infamous breaches. In addition, stories are now appearing in news media about lawsuits being filed in the wake of the data breach by victims whose payment card information was believed stolen. I am writing this post to explain what a typical data breach lawsuit looks like.
I picked as an example a case entitled Jennifer Kirk v. Target Corporation, filed in my local federal district court, the Northern District of California. You can download a copy of the complaint here. The first interesting thing to note about the complaint is that the plaintiffs’ attorneys filed it on December 19, 2013. They say in the complaint that the publicity about the data breach began on December 18, and the news was publicized widely the following day. In other words, it took them less than a single day to file the suit, reminiscent of the “Zero Day” lawsuit I wrote about in an earlier blog post.
The complaint begins with an introduction of the parties and information about why the attorneys filed the case in the Northern District of California. Following these topics, the complaint talks about the factual background of the case. The complaint says that Jennifer Kirk did Christmas shopping in Target before the holiday using her debit card. The complaint then recites information gleaned from the news about how the breach may have occurred.
Following that, the complaint talks about the impact of identity theft. Since the complaint was filed in less than a day, it does not recite facts about actual identity theft sustained by Ms. Kirk or anyone else. We can expect the defendants to seek dismissal of the complaint for failure to allege actual concrete harm sufficient to support a federal lawsuit. Instead, the complaint talks about the harms of identity theft generally and says that plaintiff class members will have to monitor their credit for years to come.
Following the facts, the plaintiffs lay out six types of legal claims:
- Violation of California’s Unfair Competition Law for unfair, illegal, and fraudulent business practices – a typical claim in a business-related case.
- Invasion of privacy, which claims that Target disclosed private information without authorization. This claim may be more difficult, since Target did not intentionally disclose information. Rather, the information was taken from Target.
- Negligence (failing to take reasonable care to protection payment information), which is a typical claim.
- Bailment. Plaintiffs say that they entrusted personal information to Target, which failed to protect it. This is somewhat of an unusual claim, because bailment usually involves entrusting some tangible personal property to another for safekeeping, and the person caring for it damages or loses it.
- Conversion (interference with plaintiffs’ ownership in their personal information). This claim may be more difficult because it was the hackers, rather than Target, that stole the information.
- Violation of California’s data protection and breach notification law for failing to take reasonable security measures to protect personal information and for failing to provide prompt breach notification.
The plaintiffs seek relief in their complaint in the form of money damages, restitution and disgorgement of profits from Target’s business, a court order stopping Target’s supposedly wrongful conduct, and attorneys’ fees.
If the earlier TJX data breach is any indication, data breach litigation will likely cost Target over $100 million in investigation, remediation, legal fees, and settlement costs. There will likely be dozens of class actions, which may be consolidated to some extent. And government investigations are now underway, which may result in additional legal actions. In all, this is likely to be a costly breach for Target, and may be one more exhibit in the case to be made for replacing magnetic stripe technology on cards sooner than currently targeted.
Stephen S. Wu
Partner, Cooke Kobrick & Wu LLP