UNITED STATES DISTRICT COURT DISTRICT OF MINNESOTA In re: Target Corporation Customer MDL No. 14-2522 (PAM/JJK) Data Security Breach Litigation, This document relates to: MEMORANDUM AND ORDER Financial Institution Cases. This matter is before the Court on Plaintiffs’ Motion for Class Certification and Appointment of Class Representatives and Class Counsel. For the reasons that follow, the Motion is granted. BACKGROUND This case arises out of a massive breach of the computer network of one of the nation’s largest retailers, Defendant Target Corporation. In late 2013, unidentified computer hackers gained virtually unfettered access to Target’s computer system, ultimately extracting the financial information of more than 40 million consumers. That the breach occurred during the holiday shopping season served to increase its severity. After the Judicial Panel on Multidistrict Litigation consolidated lawsuits regarding the breach in this Court, the case was separated into two “tracks”: one for consumers and one for financial institutions.1 The consumer action has settled, pending final court approval. (Mar. 1 Also informally consolidated with the MDL are cases brought by Target shareholders. Kulla v. Steinhafel, D. Minn. Civ. No. 14-203. These derivative actions are currently stayed while a special litigation committee appointed by Target’s Board of Directors investigates the claims. 19, 2015, Order Preliminarily Approving Settlement (Docket No. 364).) Thus, only the instant “track” of financial-institution cases remains. Plaintiffs in the financial-institution “track” issued payment cards such as credit and debit cards to consumers who, in turn, used those cards at Target stores during the period of the 2013 data breach. The Consolidated Amended Class Action Complaint (Docket No. 163) raises three claims2 against Target. Count One contends that Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data. Count Two asserts that Target violated Minnesota’s Plastic Security Card Act, and Count Three alleges that this violation constitutes negligence per se. The putative class representative Plaintiffs allege that they suffered injury in the form of replacing cards for their customers, reimbursing fraud losses, and taking various other remedial steps in response to the Target data breach. Plaintiffs now seek the certification of a Rule 23(b)(3) class “of all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.” (Pls.’ Supp. Mem. (Docket No. 474) at 21.) Target opposes the certification request. 2 The Court dismissed a fourth count, which claimed that Target’s failure to inform Plaintiffs of its insufficient security constituted a negligent misrepresentation by omission, but gave Plaintiffs leave to replead. (Dec. 2, 2014, Order (Docket No. 261).) Plaintiffs chose not to replead, and thus assert only the first three claims of their Complaint. 2 DISCUSSION Rule 23(a) sets out the preliminary requirements for the certification of a class action. According to the Rule, a plaintiff seeking class certification must establish that: (1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class, (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class, and (4) the representative parties will fairly and adequately protect the interests of the class. Fed. R. Civ. P. 23(a). These requirements are commonly expressed as numerosity, commonality, typicality, and adequacy of representation. In addition, because Plaintiffs request certification under Rule 23(b)(3), they must demonstrate that “questions of law or fact common to the class predominate over any questions affecting only individual members, and that a class action is superior to other available methods for the fair and efficient adjudication of the controversy.” Again, in common parlance, these requirements are known as predominance and superiority. Although Target also challenges Plaintiffs’ ability to establish every class certification requirement with the exception of numerosity, Target focuses its argument on the related issues of commonality and predominance. The Court does not consider the merits of Plaintiffs’ substantive claims in assessing a motion for class certification, but Plaintiffs bear the burden to establish each element listed above. Gen. Tel. Co. v. Falcon, 457 U.S. 147, 161 (1982). In rigorously analyzing whether Plaintiffs have met their burden, the Court “may look past the pleadings . . . [to] understand the claims, defenses, relevant facts, and applicable substantive law . . . .” Thompson v. Am. 3 Tobacco Co., 189 F.R.D. 544, 549 (D. Minn. 1999) (quotation omitted). Indeed, the class certification “determination generally involves considerations that are enmeshed in the factual and legal issues comprising the plaintiff’s cause of action.” Comcast Corp. v. Behrend, 133 S. Ct. 1426, 1429 (2013). Because of the fact-specific quality of the analysis, the Court exercises broad discretion in determining whether to certify a particular class under Rule 23. Reiter v. Sonotone Corp., 442 U.S. 330, 345 (1979). A. Commonality and Predominance As Target notes, Rule 23(a)’s commonality requirement and Rule 23(b)(3)’s predominance requirement are related and somewhat interdependent concepts. Rule 23(a) requires that there are common questions of law or fact among class members’ claims, and Rule 23(b)(3) requires that those common questions predominate over individual issues. According to Target, any common questions among Plaintiffs do not predominate, making class certification inappropriate. When determining whether common questions predominate, the Court’s “inquiry should be limited to determining whether, if the plaintiffs’ ‘general allegations are true, common evidence could suffice to make out a prima facie case for the class.’” In re Zurn Pex Plumbing Prods. Liab. Litig., 644 F.3d 604, 618 (8th Cir. 2011) (quoting Blades v. Monsanto Co., 400 F.3d 563, 566 (8th Cir. 2005)). A common question is one whose determination “will resolve an issue that is central to the validity of each one of the claims in one stroke.” Wal-Mart Stores v. Dukes, Inc., 131 S. Ct. 2541, 2551 (2011). 4 Target attacks Plaintiffs’ Motion on multiple fronts, but Target’s arguments are essentially two overarching challenges. First, Target contends that no classwide proof supports Plaintiffs’ negligence claims or Plaintiffs’ PCSA claims. Part of this argument is Target’s contention that the negligence claims are subject to the laws of different states, making class treatment of those claims inappropriate. Second, Target contends that damages must be calculated on a bank-by-bank basis, meaning that individual damages issues predominate over any potential class-wide issues. 1. Choice of Law Target contends that Plaintiffs’ claims have only a “slight nexus” to Minnesota, making the wholesale application of Minnesota law inappropriate. According to Target, the Court must conduct a choice-of-law analysis with regard to each putative Plaintiff’s claim to determine which state’s negligence law applies. And indeed, Target argues the Court must evaluate each potential jurisdiction’s choice-of-law rules to even conduct the choice-of-law analysis. Such a complicated undertaking renders class treatment unworkable, Target insists. To apply Minnesota law to a non-resident plaintiff’s claims, the Constitution requires that Minnesota “have a significant contact or significant aggregation of contacts, creating state interests, such that choice of its law is neither arbitrary nor fundamentally unfair.” Allstate Ins. Co. v. Hague, 449 U.S. 302, 312-13 (1981). The first step in the analysis is to determine whether there are substantive conflicts among the laws of class members’ home states. Mooney v. Allianz Life Ins. Co. of N. Am., 244 F.R.D. 531, 534 (D. Minn. 2007) (Montgomery, J.). Only if there are such conflicts is it necessary to determine the 5 constitutionality of applying Minnesota law to those out-of-state Plaintiffs. Id. In this case, the Court may presume there are substantive conflicts between the laws of Plaintiffs’ home states and Minnesota law and still constitutionally apply Minnesota law. Minnesota’s contacts with this action are legion: Target is headquartered in Minnesota; its computer servers are located in Minnesota; the decisions regarding what steps to take or not take to thwart malware were made in large part in Minnesota. “These contacts are sufficient to allow application of Minnesota law to the claims of non-Minnesota class members without offending either the Due Process Clause or the Full Faith and Credit Clause.” Id. As Judge Montgomery aptly observed with respect to another large Minnesota-based company, Target “can not claim surprise by the application of Minnesota law to conduct emanating from Minnesota.” Id. And applying Minnesota law undoubtedly comports with putative Plaintiffs’ expectations: when dealing with a Minnesota corporation such as Target, it is possible and in fact likely that Minnesota law will apply to those dealings. Minnesota law applies to Plaintiffs’ claims. 2. Prima Facie Case Target argues that Plaintiffs cannot rely on classwide proof to establish the elements of their prima facie case of negligence or of a violation of the PCSA. a. Negligence A prima facie case of negligence requires a plaintiff to establish a duty of care, a breach of that duty, and an injury caused by that breach. Gilbertson v. Leininger, 599 N.W.2d 127, 130 (Minn. 1999). Target concedes that classwide proof is available as to the 6 existence of a duty and breach of that duty, but argues that Plaintiffs cannot rely on such classwide proof to establish injury or causation. Many of Target’s arguments on this point are bound up with Target’s arguments regarding damages, discussed in more detail below. Target contends that Plaintiffs’ injuries here are “risk of future harm” injuries that are not cognizable or susceptible of classwide proof. (Def.’s Opp’n Mem. at 54 (citing cases).) But there is a fundamental difference between the injury claimed in the consumer cases on which Target relies for this argument, in which the risk of future harm is a possibility that one’s financial information might at some point in the future be misused, and the injuries the Plaintiffs allege to have suffered. Most importantly, this is not a case in which Plaintiffs have yet to suffer any harm. According to a September 2014, American Bankers Association survey, banks reissued “nearly every card” that was subject to an alert after the Target breach. (Cantor Rep. at 16, Ex. 7.) This is not a “future harm.” This is a cost borne at the time of the breach and as a result of the breach. Target argues that because Plaintiffs were not required by contract, law, or regulation to reissue the so-called “alerted-on” cards, reissuance was a business decision and not an injury proximately caused by the breach. What Target suggests is that, because there was no requirement to act, financial institutions should have done nothing in the face of dire alerts regarding the data breach issued by the card-issuing companies and by Target itself and the known potential consequences for the institutions’ customers. The absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards, both debit and credit, in the weeks after the breach. Whether a specific action was legally mandated is 7 not required to establish injury or causation. Some action on the part of the financial institutions was certainly warranted, and a reasonable jury could so find. Plaintiffs have established for the purposes of the class-certification inquiry that they suffered injury proximately caused by the data breach. b. PCSA Plaintiffs’ second claim is that Target violated the Minnesota’s Plastic Card Security Act.3 That statute provides: No person or entity conducting business in Minnesota that accepts a[] [credit or debit card] in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. * * * * Whenever there is a breach of the security of the system of a person or entity that has violated this section . . . that person or entity shall reimburse the financial institution that issued any [credit or debit cards] affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders . . . . Minn. Stat. § 325E.64, subd. 2, 3. Target does not discuss the first subsection, thus conceding that the elements of this subsection are capable of classwide proof. 3 Plaintiffs’ third claim is a claim that Target’s violation of the PCSA constitutes negligence per se. Thus, to the extent their PCSA claim is susceptible of classwide proof, their negligence per se claim would likewise survive Target’s class-certification challenge. 8 Target’s arguments with regard to predominance and the PCSA focus on injury and causation. Specifically, Target contends that there can be no classwide proof as to which cards were “affected by” the breach, whether each bank’s actions were “reasonable” and were “undertaken . . . as a result of the breach,” and whether any such actions were taken “to protect the information of [] cardholders” or “to continue to provide services to cardholders.” As is the case with many of Target’s challenges to Plaintiffs’ class certification request, Target parses this statute almost beyond recognition. But even if Target correctly interprets the language of the statute, the substance of its challenge is without merit. Whether particular actions—reissuance, blocking accounts, reimbursing fraudulent charges, paying for customers’ fraud monitoring—are reasonable actions in the face of a data breach can be determined class-wide and need not be examined with respect to each financial institution individually. And it cannot seriously be questioned whether a financial institution’s actions in the weeks after the breach were “as a result of the breach.” It is self-evident that actions a financial institution took after being notified that its cards were involved in the Target breach were taken, at least in part, to protect the institution’s customers’ information and to provide service to those customers. Plaintiffs’ PCSA claim is susceptible of classwide proof. Class certification of this claim is appropriate. 3. Damages “[T]he need for individualized damages decisions does not ordinarily defeat predominance where there are . . . disputed common issues as to liability.” In re TJX Cos. 9 Retail Sec. Breach Litig., 246 F.R.D. 389, 398 (D. Mass. 2007) (quotation omitted).4 Having found such common liability issues, the question whether damages issues also predominate is thus less significant. Damages can and often are left to determination after liability issues are resolved, and indeed the Rules provide for certification of issue classes, allowing courts to certify a liability class but leave damages questions for later resolution. Fed. R. Civ. P. 23(c)(4). Target raises several different challenges to Plaintiffs’ damages contentions.5 First, Target argues that Plaintiffs lack standing because they have not established that all members of the Plaintiff class have suffered an injury in fact.6 Although each member of the Plaintiff 4 Target relies heavily on the TJX decision to support its argument that class certification is not appropriate. TJX is the only financial-institution data-breach case to reach the class certification stage, and the court in TJX ultimately denied certification. 246 F.R.D. at 401. But the claims in TJX were misrepresentation and consumer-fraud claims that required proof of individual reliance, something very different from the negligence and PCSA claims Plaintiffs here raise. The reliance issue in TJX made proving classwide liability impossible, and in turn made all of the other class-certification requirements similarly unworkable. See id. at 399 (noting that where liability requires individual determinations, “the fact that damages must be determined on a plaintiff-by plaintiff basis further weighs against class status.”). 5 One of Target’s challenges to Plaintiffs’ damages calculations was its request that the Court exclude Plaintiffs’ damages expert witness, Dr. Robin Cantor. The Court declined to exclude Dr. Cantor, finding her methodology sufficiently reliable at this stage to support Plaintiffs’ allegations regarding classwide damages. (Sept. 8, 2015, Order (Docket No. 581).) The Court will not further discuss Target’s arguments regarding Dr. Cantor’s alleged failure to support her conclusions. For purposes of this preliminary certification Motion, Plaintiffs have sufficiently demonstrated that damages can be calculated classwide. 6 Target alternatively asks that the Court stay the class certification determination until after the Supreme Court rules on an appeal from a recent 8th Circuit decision, Bouaphakeo v. Tyson Foods, Inc., 765 F.3d 791 (8th Cir. 2014). But it is far from clear that the Supreme Court will address the Article III issues in Bouaphakeo or that it will otherwise 10 class must of course have standing to pursue its claims—that is, must have suffered an injury in fact that is capable of redress by a favorable decision—that every financial institution whose customers’ cards were stolen in the breach suffered an injury in fact is readily apparent. Target’s second argument is that the Seventh Amendment prohibits class treatment of the claims and damages here, because Target has affirmative defenses to liability that must be heard by the same jury to hear Plaintiffs’ evidence on liability. According to Target, these affirmative defenses vary significantly from class member to class member, making class treatment inappropriate. Target specifically argues that its comparative fault affirmative defense is a defense to liability and thus must be heard by the same jury to hear liability. What Target calls comparative fault is not Plaintiffs’ potential co-liability for the data breach, however, but is Plaintiffs’ alleged failure to adequately respond to the data breach, thus allegedly increasing their damages. This is classic contributory negligence or failure to mitigate damages. Neither of these concepts relate to the underlying liability for the data breach; rather they affect the amount of damages to which Plaintiffs are entitled. It is clear that all of Target’s affirmative defenses are defenses to damages, not liability. Thus, the Seventh Amendment is not implicated. See In re TJX, 246 F.R.D. at 394 (dismissing TJX’s argument that affirmative defenses against some plaintiffs made class certification inappropriate, noting that rule on any issue that will advance this case. Target’s request for a stay is denied. 11 courts are “reluctant to deny class action status . . . simply because affirmative defenses may be available against individual members.”). Finally, Target contends that the reissuance and fraud losses must be made on a bank by-bank, loss-by-loss basis, making damages too individual for classwide determination. The Supreme Court has recently held that putative class plaintiffs must tie the common damages they seek to common theories of injury. Comcast Corp. v. Behrend, 133 S. Ct. 1426, 1433 (2013). As Target frames the holding, Comcast means that Plaintiffs may only rely on damages that arise from the two theories of injury they propound in their commonality argument: reissuance and fraud losses. Target argues that proof of reissuance or fraud losses must be made on a bank-by-bank basis, because some banks reissued all alerted-on cards, some reissued only a few such cards, some suffered fraud losses, others suffered no fraud losses. But this argument ignores Dr. Cantor’s opinion that both types of damages are calculable on a classwide basis. More importantly, however, Comcast does not stand for the proposition that “a class cannot be certified under Rule 23(b)(3) simply because damages cannot be measured on a classwide basis.” Roach v. T.L. Cannon Corp., 778 F.3d 401, 407 (2d Cir. 2015); see also Comcast, 133 S. Ct. at 1436 (Ginsburg and Breyer, JJ, dissenting (noting that the “decision should not be read to require, as a prerequisite to certification, that damages attributable to a classwide injury be measurable ‘on a classwide basis.’”)); Butler v. Sears, Roebuck & Co., 727 F.3d 796, 801 (7th Cir. 2013) (holding that “the fact that damages are not identical across all class members should not preclude class certification). Thus, even if the damages alleged 12 here—reissuance costs and fraud losses—cannot ultimately be calculated on a classwide basis, class certification is still appropriate if the other certification factors are met and there is no risk that individual damages issues outweigh the classwide issues. See Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 623 (1997) (predominance is not satisfied if “individual questions . . . overwhelm questions common to the class”). Although Plaintiffs’ damages may ultimately require some individualized proof, at this stage Plaintiffs have established, through Dr. Cantor’s report, that it is possible to prove classwide common injury and to reliably compute classwide damages resulting from reissuance costs and fraud losses. See In re Visa Check/MasterMoney Antitrust Litig., 280 F.3d 124, 135 (2d Cir. 2001) (“The question for the district court at the class certification stage is whether plaintiffs’ expert evidence is sufficient to demonstrate common questions of fact warranting certification of the proposed class, not whether the evidence will ultimately be persuasive.”). Should classwide damages ultimately prove unworkable, a damages class can be decertified and damages questions stayed for determination after the liability phase concludes. Fed. R. Civ. P. 23(c)(4). B. Other Rule 23 Requirements Target pays lip service to its challenges to the other Rule 23 requirements, such as typicality, adequacy of representation, and superiority, but most of its challenges in this regard depend on the arguments regarding predominance rejected above. Plaintiffs’ claims are certainly typical—they arise “from the same event or practice or course of conduct that gives rise to the claims of other class members, and . . . are based on the same legal theory.” 13 In re TJX, 246 F.R.D. at 393. Similarly, the class representatives have “common interests with the members of the class” and have established that they “will vigorously prosecute the interests of the class through qualified counsel.” Paxon v. Union Nat’l Bank, 688 F.2d 552, 562-63 (8th Cir. 1982). Target’s selective quotations from the class representatives’ 30(b)(6) designees’ depositions in an attempt to discredit those designees do nothing to advance Target’s arguments in this regard. Finally, given the number of financial institutions involved and the similarity of all class members’ claims, Plaintiffs have established that the class action device is the superior method for resolving this dispute. See Fed. R. Civ. P. 23(b)(3) (listing four factors to consider when examining superiority). C. Appointment of Class Representatives and Class Counsel Rule 23 requires that a class-certification order also appoint class counsel. Target does not oppose Plaintiffs’ request to appoint Chestnut Cambronne and Zimmerman Reed as co-lead class counsel, or that the firms already appointed to the bank cases steering/executive committee or acting as liaison counsel for the bank cases be appointed co class counsel. Plaintiffs also request the appointment of several financial institutions to be class representatives: Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain. Other than the challenges noted above, Target apparently has no opposition to this class-representative appointment. The Court has had ample opportunity to observe the high quality of legal work by the members of the putative class’s legal team. In particular, these attorneys have diligently 14 worked to identify potential claims, have significant experience in handling class actions and the type of claims asserted here, have thorough knowledge of the applicable law, and have sufficient resources to prosecute this action on behalf of the class. Fed. R. Civ. P. 23(g)(1)(A)(i)-(iv). The Court will grant the requested appointment of class counsel and class representatives. CONCLUSION Accordingly, IT IS HEREBY ORDERED that: 1. Plaintiffs’ Motion for Class Certification and Appointment of Class Representatives and Class Counsel (Docket No. 462) is GRANTED; 2. The Court CERTIFIES the following class under Fed. R. Civ. P. 23(b)(3): All entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013. 3. The Court APPOINTS Zimmerman Reed PLLP and Chestnut Cambronne PA as Co-Lead Counsel and Reinhardt Wendorf & Blanchfield; Lockridge Grindal Nauen P.L.L.P.; Barrett Law Group, P.A.; Levin, Fishbein, Sedran & Berman; Kessler Topaz Meltzer & Check LLP; Carlson Lynch Ltd.; Scott + Scott LLP; Hausfeld LLP; and Beasley, Allen, Crow, Methvin, Portis Miles, P.C. as Co Class Counsel for the Class; 4. The Court APPOINTS Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain as Class Representatives; and 15 5. The Court DIRECTS the parties to provide notice of the pendency of this action to the class as required by Fed. R. Civ. P. 23(c)(2)(B). Dated: September 15, 2015 s/ Paul A. Magnuson Paul A. Magnuson United States District Court Judge 16