Monday, December 15, 2014

The Target Hack, Negligence and the Class Action

As you may recall, in December of 2013 Target was the victim of a “major hack” of credit and debit card data.  And as you may or may not know, in May of 2014 of 2014, the Judicial Panel on Multidistrict Litigation consolidated the “[d]ozens of class action lawsuits” that followed the hack into “three groups”, all of which were assigned to a U.S. District Court Judge in Minnesota.  You can read more about that here.           
This post examines an order that judge issued on December 2, 2014, in which he ruled on a motion to dismiss a subset of those lawsuits.  In re Target Corporation Customer Data Security Breach Litigation (“ In re Target”), 2014 WL 6775314 (U.S.District Court for the District of Minnesota 2014).  He began the opinion on which he ruled on the motion by noting that
[i]n December 2013, Defendant Target Corporation, a Minnesota-headquartered retailer that is one of the nation's largest retail chains, announced that over a period of more than three weeks during the busy Christmas holiday shopping season, computer hackers had stolen credit- and debit-card information for approximately 110 million of Target's customers. Lawsuits soon followed this announcement, and ultimately the Judicial Panel on Multidistrict Litigation consolidated all federal lawsuits into this litigation. The multidistrict litigation consists of two distinct types of claims: those brought by consumers and those brought by financial institutions. The Motion at issue here seeks to dismiss only the Consolidated Amended Class Action Complaint . . . filed in the financial institution cases.
In re Target, supra.
The judge went on to explain that the plaintiffs whose lawsuits are at issue in the motion to dismiss he is ruling on are a
putative class of issuer banks whose customers' data was stolen in the Target data breach.

Plaintiffs' Complaint consists of four claims against Target. Count One contends that Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data. Count Two asserts that Target violated Minnesota's Plastic Security Card Act, and Count Three alleges that this violation constitutes negligence per se. Count Four claims that Target's failure to inform Plaintiffs of its insufficient security constitutes a negligent misrepresentation by omission.
In re Target, supra.
Target’s motion to dismiss, filed under Rule 12(b)(6) of the Federal Rules of Civil Procedure, argued that the financial institutions “have failed to plead sufficient facts to establish any of their claims.” In re Target, supra.  As Wikipedia explains, in the federal court system, someone (the Plaintiff) initiates a lawsuit by filing a “Complaint” with the U.S. District Court.  And as Wikipedia also explains, the Rule 12(b)(6) motion
is how lawsuits with insufficient legal theories underlying their cause of action are dismissed from court. For example, assault requires intent, so if the plaintiff has failed to plead intent, the defense can seek dismissal by filing a 12(b)(6) motion.’ . . .
The Judge who has the Target cases began his analysis of the financial institutions’ Rule 12(b)(6) motion by explaining that when a judge evaluates s motion to dismiss under
Rule 12(b)(6), the Court assumes the facts in the Complaint to be true and construes all reasonable inferences from those facts in the light most favorable to Plaintiffs. Morton v. Becker, 793 F.2d 185 (U.S. Courtof Appeals for the 8th Circuit 1986). However, the Court need not accept as true wholly conclusory allegations, Hanten v. School District of Riverview Gardens, 183 F.3d 799 (U.S. Court of Appeals for the 8th Circuit 1999), or legal conclusions that Plaintiffs draws from the facts pled. Westcott v. City of Omaha, 901 F.2d 1486 (U.S. Court of Appeals for the 8th Circuit 1990).

To survive a motion to dismiss, a complaint must contain `enough facts to state a claim to relief that is plausible on its face.’ Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007). Although a complaint need not contain `detailed factual allegations, it must contain facts with enough specificity `to raise a right to relief above the speculative level.’ 

`Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements,’ will not pass muster under Twombly. Ashcroft v. Iqbal, 556 U.S. 662 (2009). . . . In sum, this standard calls for `enough fact[s] to raise a reasonable expectation that discovery will reveal evidence of [the claim].’ Bell Atlantic Corp. v. Twombly, supra.
In re Target, supra. 
He began his analysis of the motion to dismiss at issue here with the Plaintiffs’ negligence claim, explaining that the parties to this litigation agreed that,

at least for the purposes of this Motion, Minnesota law governs Plaintiffs' negligence claim. A claim of negligence under Minnesota law requires a plaintiff to allege four elements: duty, breach, causation, and injury. Schmanski v. Church of St. Casimir of Wells, 243 Minn. 289, 67 N.W.2d 644 (Minnesota Supreme Court 1954). Target contends that Plaintiffs have failed to sufficiently allege that Target owed them a duty or that Target breached any duty.

In re Target, supra. 
The judge then explained that Minnesota law “imposes a duty ‘to act with reasonable care for the protection of others in two situations”.  In re Target, supra.  
`First, . . .  general negligence law imposes a general duty of reasonable care when the defendant's own conduct creates a foreseeable risk of injury to a foreseeable plaintiff.  See 1 J.D. Lee & Barry A. Lindahl, Modern Tort Law: Liability & Litigation § 3.48 (2d edition 2003).’

`Second, a defendant owes a duty to protect a plaintiff when action by someone other than the defendant creates a foreseeable risk of harm to the plaintiff and the defendant and plaintiff stand in a special relationship. See Bjerke v. Johnson, 742 N.W.2d 660 (Minnesota Supreme Court 2007). In other words, although a defendant generally does not have a duty `to warn or protect others from harm caused by a third party's conduct,’ H.B. ex rel. Clark v. Whittemore, 552 N.W.2d 705 (Minnesota Supreme Court1996), an exception to this rule exists when the parties are in a special relationship and the harm to the plaintiff is foreseeable.’

Domagala v. Rolland, 805 N.W.2d 14 (Minnesota Supreme Court 2011). The existence of a duty is a question of law. ServiceMaster of St. Cloud v. GAB Bus. Servs., Inc., 544 N.W.2d 302 (Minnesota Supreme Court 1996).
In re Target, supra. 
He went on to explain that Target argued that the plaintiffs’ claims should be analyzed
as falling under the third-party-harm type of negligence, so that to be liable Target and Plaintiffs must stand in a “special relationship” with one another. Target asks the Court to find as a matter of law that Target had no duty to Plaintiffs because there is no special relationship between Plaintiffs and Target and, in any event, `”a person has no duty under Minnesota law to protect another from the harmful conduct, including criminal conduct, of a third person.”’ (Def.'s Supp. Mem. at 6. . . .)

Plaintiffs argue that this is not a third-party-harm case but rather is a straightforward negligence case: Target's own conduct, in failing to maintain appropriate data security measures and in turning off some of the features of its security measures, created a foreseeable risk of the harm that occurred, and Plaintiffs were the foreseeable victims of that harm.

Plaintiffs also argue that, even if this situation is a third-party-harm situation where a special relationship between Plaintiffs and Target is required, they have pled such a special relationship here. But as Target points out, Minnesota has recognized this “separate and distinct” special relationship doctrine, Domagala v. Rolland, 805 N.W.2d 14 (Minnesota Supreme Court 2011), in a very few, limited situations that are not applicable here. . . . Moreover, the Minnesota Supreme Court has cautioned against extending those situations further. See H.B. By and Through Clark v. 552 N.W.2d 705 (1996) (stating that `this court has carefully carved out’ the `outer boundaries’ of the special relationship exception).

At this preliminary stage of the litigation, Plaintiffs have plausibly pled a general negligence case. Although the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur. Indeed, Plaintiffs' allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case: Plaintiffs allege that Target's `own conduct create[d] a foreseeable risk of injury to a foreseeable plaintiff.’ Thus, the Court must determine whether Plaintiffs have sufficiently pled Target owed Plaintiffs a duty of care under general negligence principles.
In re Target, supra. 
The judge then explained that the Minnesota courts have considered these factors in
determining whether a defendant owed a duty of care in a general negligence case: (1) the foreseeability of harm to the plaintiff, (2) the connection between the defendant's conduct and the injury suffered, (3) the moral blame attached to the defendant's conduct, (4) the policy of preventing future harm, and (5) the burden to the defendant and community of imposing a duty to exercise care with resulting liability for breach. breach. Domagala v. Rolland, supra. The duty to exercise reasonable care arises from the probability or foreseeability of injury to the plaintiff. Domagala v. Rolland, supra.   `Although in most cases the question of foreseeability is an issue for the jury, the foreseeability of harm can be decided by the court as a matter of law when the issue is clear.’ Foss v. Kincaid, 766 N.W.2d 317 (Minnesota Supreme Court 2009). The Court evaluates Plaintiffs' allegations regarding these factors in the light most favorable to Plaintiffs, keeping in mind that this Motion tests only the sufficiency of those allegations and not the ultimate success of Plaintiffs' legal theories.

Plaintiffs have plausibly alleged that Target's actions and inactions -- disabling certain security features and failing to heed the warning signs as the hackers' attack began -- caused foreseeable harm to Plaintiffs. Plaintiffs have also plausibly alleged that Target's conduct both caused and exacerbated the harm they suffered. And Plaintiffs' allegation that Target was solely able and solely responsible to safeguard its and Plaintiffs' customers' data is also plausible. Imposing a duty on Target in this case will aid Minnesota's policy of punishing companies that do not secure consumers' credit- and debit-card information. See Minn.Stat. § 325E.64. And despite Target's dire warnings about the burden of imposing such a duty, it is clear that the institutional parties to credit- and debit-card transactions have already voluntarily assumed similar duties toward one another. See, e.g., In re Heartland Payment Systems, Inc. Customer Data Sec. Breach Litigation, 834 F.Supp.2d 566 (U.S. District Court for the Southern District of Texas 2011) (noting that Visa and MasterCard Card Operating Regulations, which apply between merchants, issuer banks, and acquirer banks, specify procedures for issuer banks to make claims in the event of data breaches). . . .
In re Target, supra.  So he found that the plaintiffs had adequately pled Target owed them a duty of care, declined to dismiss their claim on this basis.  In re Target, supra. 
The judge went on to note that because the plaintiffs had
plausibly alleged the existence of a duty, there can be no doubt that Plaintiffs have also plausibly alleged that Target breached that duty by failing to safeguard Plaintiffs' customers' information. Because Target does not challenge Plaintiffs' allegations with respect to the elements of causation and damages, Plaintiffs' negligence claim succeeds in stating a claim on which relief can be granted.
In re Target, supra. 
He then took up the defendants’ attempt to have the plaintiffs’ separate cause of action (alleged in Count 4 of their Complaint) for “negligent-misrepresentation-by-omission”.  In re Target, supra.  He explained that in this claim, the plaintiffs alleged that Target had
`failed to disclose material weaknesses in its data security systems and procedures’ that it had an obligation to disclose. . . . According to Target, this claim fails for multiple reasons: Target had no duty to disclose anything to Plaintiffs; Plaintiffs have failed to plead this claim with the particularity Rule 9(b) requires; a negligent misrepresentation claim does not lie with respect to statements about Target's intent; and Plaintiffs have failed to allege reliance, which is an essential element of a negligent-misrepresentation-by-omission claim.
In re Target, supra.  Next, he analyzed each element of the claim. In re Target, supra. 
He began with duty, noting that as a general rule,
`one party to a transaction has no duty to disclose material facts to the other.” Smith v. Questar Capital Corp.,  2014 WL 2560607 (U.S. District Court for the District of Minnesota 2014). This rule applies `unless (1) there existed a fiduciary or confidential relationship between the parties; (2) one party was in possession of special facts that could not have been discovered by the other; or (3) one party who chooses to speak omits information so as to make the information actually disclosed misleading.’ misleading.’ Smith v. Questar Capital Corp., supra.

Plaintiffs have not alleged there is a fiduciary or confidential relationship between Target and Plaintiffs. Rather, Plaintiffs contend that Target knew facts about its ability to repel hackers that Plaintiffs could not have known, and that Target's public representations regarding its data security practices were misleading. Target takes issue with Plaintiffs' allegations in this regard, but on a Motion to Dismiss, the Court must determine only whether the allegations are plausible. The allegations meet that plausibility standard, and Plaintiffs have adequately pled a duty of care.
In re Target, supra. 
He then took up the defendants’ argument that the Plaintiffs had not satisfied the “stricter pleading requirements” of Rule 9(b) of the Federal Rules of Civil Procedure. In re Target, supra.  The judge explained that Rule 9(b) requires that, in alleging “fraud or mistake,”
`a party must state with particularity the circumstances constituting fraud or mistake.’ Fed.R.Civ.P. 9(b). These heightened pleading requirements apply to negligent-misrepresentation-by-omission claims. Trooien v. Mansour, 608 F.3d 1020 (U.S. Court of Appeals for the 8th Circuit 2010). In the context of a claim of negligent omission, the Rule is satisfied `if the omitted information is identified and “how or when” the concealment occurred.’ In re Bisphenol–A (BPA) Polycarbonate Plastic Prods. Liab. Litig., 687 F.Supp.2d 897 (U.S. District Court for the Western District of Missouri 2009). . . .

Plaintiffs have identified the omitted information, namely Target's failure to disclose that its data security systems were deficient and in particular that Target had purposely disengaged one feature of those systems that would have detected and potentially stopped the hackers at the inception of the hacking scheme. Plaintiffs contend that these omissions were made in representations such as Target's online Privacy Policy and in Target's agreement to comply with Visa and MasterCard's Card Operating Regulations and other security requirements.
In re Target, supra.  He also noted that while “these allegations are not as detailed as Target would like, at this early stage of the litigation they are sufficient to allege the `how or when” the information regarding Target's data security practices was omitted from disclosure”, which means the plaintiffs had satisfied Rule 9(b).  In re Target, supra. 
Next, Target argued that the plaintiffs’ negligent omission claim was not cognizable
because it is founded on alleged omissions regarding what Target intended to do with respect to data security. Target contends that an omission regarding Target's `present intention to act in the future’ is not actionable because it cannot be proved false. . . . . But Target misconstrues Plaintiffs' claim.

Plaintiffs' negligent-omission claim is not premised on any statement about Target's future intentions or even on Target's statements about the data breach itself, but rather on the fact that Target held itself out as having secure data systems when Target knew that it did not have secure systems and had taken affirmative steps to make its systems more vulnerable to attack. At this stage of the case, this allegation is sufficient to state a claim for negligent omission.
In re Target, supra. 
And, finally, the judge took up the issue of “reliance”, noting that Target argued that the
[p]laintiffs have failed to plead any reliance on the alleged omissions. Plaintiffs respond that reliance is not required, citing Judge Nelson's recent Smith decision. . . . But Smith did not hold that reliance is not a required element for a negligent omission claim. Rather, Smith found reliance was a `fact-intensive’ inquiry inappropriate for resolution on a motion to dismiss. Smith v. Questar Capital Corp., supra.  
In re Target, supra. 
He went on to explain that a plaintiff alleging a securities fraud-by-omission claim
need not plead or prove reliance if the omitted information is material -- reliance on that material information is presumed. Affiliated Ute Citizens v. United States, 406 U.S. 128 (1972). But courts have not extended this presumption of reliance outside of the securities-fraud context. Plaintiffs are therefore required to plead reliance on Target's alleged omissions in order to state a claim for relief.

The Complaint contains no indication that Plaintiffs relied on any of the alleged omissions. Rather, the Complaint merely avers that Plaintiffs `suffered injury’ `as a direct and proximate result of Target's negligent misrepresentations by omission.’ . . . This is insufficient to plead reliance, and Plaintiffs' negligent-misrepresentation-by-omission claim must therefore be dismissed. Assuming that there are facts supporting Plaintiffs' reliance on the alleged omissions, Plaintiffs may file an amended complaint within 30 days that fully and plausibly alleges all of the required elements of a negligent-misrepresentation-by-omission claim.
In re Target, supra. 
And, finally, he found that the plaintiffs claim under the Minnesota Plastic Card Security Act survived, which means only one of the plaintiffs’ claims was dismissed. In re Target, supra. 

No comments: