A judge on Tuesday granted class action status to a lawsuit against retail giant Target, filed by five financial institutions, over a data security breach in December 2013 that affected about 110 million customers and led the institutions to reissue debit and credit cards. Photo: Northfoto/Shutterstock
MINNEAPOLIS, Sept. 15 (UPI) -- The U.S. District Court of Minnesota on Tuesday granted class action status to a lawsuit filed against retail giant Target over a data security breach that affected more than 100 million customers and resulted in severe financial consequences nearly two years ago.
In the 16-page ruling, U.S. District Court Judge Paul A. Magnuson rejected Target's arguments against class action status -- including its claim that the losses should be measured on a case-by-case basis rather than as a whole
The data breach, which occurred in December 2013, exposed sensitive information of about 110 million customers and cost the company and financial partners tens of millions of dollars.
Earlier this year, Target reached settlements with Visa and MasterCard to resolve part of the fallout, but five financial institutions -- Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings of Lorain -- fought it.
The suit was brought by the institutions seeking damages because the breach led them to reissue about 25,000 debit and credit cards at a cost of about $30 million.
Target claimed that since reissuing the cards wasn't required by law, it shouldn't be held liable for those costs incurred by its fiscal partners. Judge Magnuson called that argument "absurd" and hypocritical.
"What Target suggests is that, because there was no requirement to act, financial institutions should have done nothing in the face of dire alerts regarding the data breach issued by the card-issuing companies and by Target itself and the known potential consequences for the institutions' customers," he said in the ruling. "The absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards, both debit and credit, in the weeks after the breach. Whether a specific action was legally mandated is not required to establish injury or causation."
"Credit unions incurred at least $30 million in card reissuance costs related to the Target breach and I'm encouraged this case was awarded class action status," Credit Union National Association President Jim Nussle said. "While this is a step in the right direction, we need Congress to enact meaningful data security legislation to stop future data breaches."
The Minneapolis-based retailer expressed displeasure with Tuesday's ruling.
"Target was disappointed by the decision," a company representative told the Credit Union Times. "Once we have had the opportunity to review the judge's written ruling, we will evaluate next steps."
The court's decision enables other financial institutions affected by the breach to join the lawsuit, rather than attempting to sue the company in a separate case. Financial companies that have already negotiated a settlement with Target, though, are barred from joining the suit.