Last week, the Eighth Circuit Court of Appeals reversed the approval regarding the settlement class in a consumer class action arising from Target Corporation’s 2013 data breach.
In 2013 Target was hit by a massive data breach which arguably has been one of the most high-profile data breaches of recent time. Debit and Credit card information for up to 110 million customers was stolen, resulting in over 100 lawsuits across the country.
The court grouped the cases into three categories: those brought by consumers, those bought by financial institutions, and those brought by shareholders. You can read more about what each of the three unique cases mean, which we previously detailed in full here.
The financial institution suit settled without objection, and the shareholder suit was dismissed. That leaves the consumer suit, which as of last November, the judge had approved a settlement to put this one to rest as well.
Not So Fast…
The original proposed settlement terms of the consumer class action suit had Target committing to create a $10 million fund that would pay consumers’ claims for up to $10,000 if they can document unreimbursed losses. Affected customers would be sent a claim form which detailed several types of harm that could have been inflicted on them due to a breach. For example, unauthorized charges, fees paid on accounts, corrections to credit reports, etc. Consumers then need to be able to provide supporting documentation.
Many consumers objected to this settlement. One primary reason being that the claims didn’t account for the hassle and time spent dealing with the aftermath of a breach. Secondly, those who suffered no monetary loss from the security breach but could face future identity theft issues could potentially receive nothing. In fact, Target lawyers admitted to the Eight Circuit panel that 99% of the lawsuit plaintiff’s class would receive no monetary settlement.
On Wednesday, the Eighth Circuit Court of Appeals reversed the district court’s certification of the settlement, essentially making a motion to review the case. This is due to the fact of a potential intra-class conflict between customers who suffered financially, and those who didn’t but could potentially in the future. The Eighth Circuit is going to “conduct and articulate a rigorous analysis” of the case in order to determine if the settlement is suitable.
Overall this case shines a light on the bigger issue on data breach victims. For consumers who suffered a significant monetary loss due to a data breach and can prove it with supporting documentation, there is no issue. The problem comes for all the consumers who were intangibly affected, if their data was compromised but they did not directly suffer monetary loss, how should these cases be handled? This is going to be a bigger issue as data breaches continue to increase in size and scale.
While a breach like Target garners significant media attention, the company isn’t the only organization subject to class-action data breach lawsuits. Our blog post from July details the rising trend of lawsuits and how these can affect companies, from forcing to pay up to tarnishing that all-important brand reputation.