U.S.
District Judge Paul Magnuson has cleared the way
for consumers to sue Target over the retailer's late 2013 massive data breach.
The breach became public near the height of the holiday shopping season. Judge Magnuson did dismiss claims by plaintiffs in
certain states but largely denied Target's request to toss the proposed class
action lawsuit altogether. What was dismissed were claims brought under
deceptive trade practices laws in three states, claims under data-breach notice
laws in nine states after the plaintiffs withdrew them in another three, negligence
claims brought under five states' laws, and a class action that could not be
maintained for claims under consumer-protection statutes in another 10 states.
The ruling followed a similar
decision by Judge Magnuson allowing banks to move forward with a lawsuit to
recoup money they spent reimbursing fraudulent charges and issuing new credit
and debit cards because of the breach.
Magnuson rejected Target's
argument that the consumers lacked standing to sue because they could not
establish any injury. Judge Magnuson wrote in his Order, "Plaintiffs'
allegations plausibly allege that they suffered injuries that are 'fairly traceable'
to Target's conduct…”
Target reported that at least 40
million credit cards were compromised in the breach, which may have resulted in
the theft of as many as 110 million people's personal information, such as
email addresses and phone numbers.
The
case is In re: Target Corporation Customer Data Security Breach Litigation,
U.S. District Court, District of Minnesota, No. 14-md-02522.
