In the wake of the massive Target data breach, consumers and others may be inclined to go to their lawyers and ask the stupidest question you can ever ask a lawyer, “can I sue?”
The answer to that question is always, “yes.”
And what would you sue for? The answer to that one is, “for a real long time.”
In fact, multiple lawsuits have already been filed on disparate theories. We can anticipate more to follow. But do these suits have legal merit, will they succeed, and should they?
Class Action
News outlets have already reported multiple class action lawsuits being filed against Target for failing to protect consumers’ personal information and debit or credit card numbers. Unlike an individual lawsuit, a class action is filed not just on behalf of an individual client, but on behalf of “others similarly situated.”
As a result, the lawyer who files the class action simply seeks out a single (or a few) “named” plaintiffs who have suffered an injury, find what they believe is a favorable venue of jurisdiction, and then file a lawsuit purporting to speak for tens of thousands or millions of “clients” they had never met, and likely never would.
If a class action is “certified” by the court, then the court has allowed that lawyer and that lawsuit to effectively represent the interests of all of those clients.
Think about it – the lawyer just got a million clients without advertising, without entering into a retainer agreement with them, without investigating the merits of their claims or their damages, and in fact without doing anything but claiming to represent them.
In fact, justice goes to the swift, and therefore there is a tendency to rush to the courthouse to be the first to file a class action lawsuit – which is why there have been a half dozen suits against Target even before anyone knows what actually happened.
There are many advantages to a class action lawsuit – to the lawyers, to the potential clients, and even to entities like Target itself. It represents a way to air out thousands (or millions) of claims at the same time, and is certainly faster, cheaper and easier than responding to millions of individual lawsuits.
It achieves the potential for a global settlement of issues and damages, and provides a way for the defendant to put the entire case behind it. For the lawyer, it represents a way to make a good deal of money in settlement – a lot more than in an individual case, particularly where the individual damages are minimal.
And to the individual plaintiff – the Target customer – it represents a way to get some relief – whether it is a small monetary settlement, an agreement on credit monitoring, a discount, a new credit card, whatever, without having to hire a lawyer individually and sue.
Yet there are significant obstacles to the litigation. This doesn’t mean that it won’t succeed.
It will.
In fact, once the class action cases are consolidated and litigated, Target will undoubtedly settle the case. In fact, they likely will give the individual class plaintiffs (as opposed to companies, which I will describe later) everything they requested without litigation.
They will provide some credit monitoring services to those who want it. They will provide discounts (already 10%) to those potentially impacted, or maybe some coupons as well.
They will provide assistance in obtaining new credit or debit cards to those who wish. They will, to the extent they are able, make their consumers “whole.” And under the law, that is all they would be entitled to (unless a court ordered punitive damages, which is unlikely under the current facts) even if they filed individual lawsuits.
Individual Lawsuits
So lets say you sued Target personally for damages. What exactly are your “damages?” Under the tort (civil wrong) system, a party that fails to meet a reasonable standard of due care must compensate the party harmed by that failure for damages that result from the failure.
Was Target actually “negligent?” We all assume so, under the theory of “res ipso loquitor” which means “the thing speaks for itself.”
Of course Target screwed up – how could they not? They lost 40 million credit and debit card numbers! They were attacked for two whole weeks before they told anyone! Why this is an outrage!
There is little doubt (some doubt in the law, actually) that Target had a duty to protect consumers’ personal information and credit card information. Maybe.
First of all, it’s not entirely clear that this information is YOUR information. The credit card number belongs to the issuer, not you. The duty to protect this data comes under a contract between Target and its bank under the Payment Card Industry, Digital Security Standards (PCI DSS) guidelines. You are neither a party to that contract, nor necessarily what the law calls a “third party beneficiary” of that contract.
So it’s not clear that Target had any duty TO YOU to protect your bank’s credit card information.
But, you claim, Target violated its privacy policy when it failed to protect the credit card information. Courts have recently held (most recently in the lawsuit against Apple) that companies are not bound by their OWN privacy policies. Under this line of cases, YOU would have to show that you read, understood and relied on Target’s privacy policy when you decided to use your credit card at a brick and mortar Target store between Black Friday and December 15, and that decision was in some way based upon reliance on that policy.
Yes, that’s right. You are bound by their contracts whether you read them or not, but they are bound by their own contract only if you can prove that you read it and relied on it.
It’s also not clear that Target violated any duty of due care. If we accept PCI-DSS as the standard of care for protection of credit card data, we don’t know that Target breached its obligations under PCI DSS.
In fact, currently we don’t know much about how the breach occurred. The class action plaintiffs are actually claiming what amounts to a strict liability standard – if my data is breached, you owe me money no matter what.
However, that is not the law. The law requires proof that the entity failed to do something that a reasonable merchant would have done. The complaints filed have not yet stated what that thing Target did wrong was, because they don’t know. Rule 11 of the Federal Rules of Civil Procedure requires the lawyer filing the lawsuit to certify that “the claims … are warranted by existing law” and that “the factual contentions have evidentiary support, or will have evidentiary support after discovery.”
So the class action lawsuits now are necessarily broad and vague. We THINK Target was negligent. We THINK we suffered harm. We THINK they screwed up. But we don’t know. But we want a jury to award millions in damages anyway. But that’s how lawsuits work. You don’t get to find out what happened until after you file a suit. And the claim of “negligence” is certainly not “frivolous” but it is by no means a foregone conclusion.
This points out that a company can be fully compliant with the law, or with standards (and I am not suggesting that Target was, or wasn’t) and still be breached. Remember that a hacker can fail 100,000 times, but succeed once, and they are in. Maybe they should have detected the breach, maybe not. Maybe they should have prevented it, maybe not. Maybe they should have notified earlier, maybe not. The short answer is, “we don’t know.”
A consumer may also want to allege a breach of contract. I gave Target something valuable – my personal information. Not only did I provide my name, address, and credit card information, but also my purchasing habits, dates I visited Target and other personal information.
That constitutes “consideration” for a contractual obligation to not only protect the data, but also to use the data only for the purposes in the privacy policy. Unfortunately, many courts have found this consideration to be inadequate to form a contract, and have refused to impose an obligation on companies based on the provision of data.
Moreover, other courts have held that the data doesn’t belong to the consumer. When Target makes a record that you bought a pair of sneakers at a store in Dearborn, that is Target’s information, not yours. Even though Target may make millions mining, selling, or slicing and dicing this information, some courts have found that the consumer has few rights with respect to that data.
Then there is the issue of damages. Even if Target had a legally cognizable duty to protect this data, and even if that duty flowed to the consumer, and even if they negligently breached their duty, what is the actual damage to the average consumer?
If you simply suspect that your credit card might be used in the future for unauthorized charges, courts have also found that this kind of “stress” or “anxiety” about potential fraud is too speculative as damages. What’s the dollar value to a single consumer about being worried that their card “might” be used without authorization? $10? $20?
Is an ordinary consumer really going to seek out psychiatric treatment for a lost credit card number that they can replace at no cost to themselves with a phone call? Remember, the goal of the legal system is to compensate the victim for actual losses they incurred and can prove in court.
If the card was actually fraudulently used (and if you can show that it was used as a direct result of the Target hack, and not any of thousands of other hacks) then you may have some damages – but usually slight.
Under what is called Schedule E, a consumer is liable for only $50 for unauthorized charges. But as a practical matter, consumers have no liability for unauthorized charges. If they see them. The consumer will have to take the time to examine their credit card statements or bank account statements to see if there are unauthorized charges. But if they are willing to hire a lawyer, file a lawsuit, go to deposition, go to court and testify about their damages, then asking them to look at their bank statements seems a small price to pay.
IF they are really worried about unauthorized charges, they can replace their cards – but at a cost of time and inconvenience. They would have to relink their PayPal, Amazon, or other accounts to the new number. If a debit card is compromised, a consumer could be out funds during the critical Christmas shopping season. When the banks imposed debit and credit limits due to the fraud, some consumers were unable to purchase (and other merchants unable to sell) items that they wanted. So there are some damages but not a whole heck of a lot. Not the kind for which someone would individually sue Target.
There is also the cost to “remedy” the problem for the consumer. That is, to ensure that the problem doesn’t get worse. This would include the cost of credit monitoring, credit repair, or credit “freeze” services. It appears likely that Target will offer these services to those who wish them even without litigation. Most breached entities do. But even these services have limited cost and value. A concerned consumer could of course log in to www.annualcreditreport.com or other similar services and get up to three free credit reports to look for unauthorized activity (of course, after the fact, but still.)
Moreover, it’s unclear that the data obtained by the Target hackers will help them commit identity theft, as opposed to simple credit card fraud. That is, that they will be able to use the stolen data to open NEW credit cards in the consumers’ name, as opposed to using the credit card that they stole. And credit monitoring primarily looks for NEW fraudulent credit. So it’s of little utility in cases like this.
But there are actual losers in these cases. Stay tuned for my next article: Banks and Insurance Companies vs. Target.