advertisement

Target customers face no harm-no foul argument in suit

Millions of Target Corp. customers whose credit card data and identifying information was stolen by hackers face the prospect the retailer owes them nothing for their ensuing troubles, and they may have the government to thank for it.

The retailer is counting on a U.S. Supreme Court ruling from last year grounded in the principle of no harm-no foul to win dismissal of about six dozen lawsuits that piled up after it disclosed a massive data breach six days before Christmas.

The high court's 2013 decision that people have no basis to seek damages from the government if they can't prove they were in imminent danger of being hurt by wiretapping surveillance already has helped at least half a dozen companies fend off lawsuits over lost or stolen customer data. A victory for Target would also benefit retailers including Home Depot Inc. that face lawsuits after an explosion of hacking intrusions.

Judges in previous cases found that the mere risk of identity theft alone isn't enough, without proof of actual or imminent financial loss, for cases to proceed in federal court, said Andrew Hoffman, an attorney with the technology-centered Information Law Group in West Palm Beach, Florida.

Target is scheduled to make that argument today to a federal judge in St. Paul, Minnesota, less than two weeks after the same judge refused to throw out claims by banks that had to deal with the consequences of Target's breach.

Supreme Court

The Supreme Court's ruling stems from a case filed by Amnesty International against U.S. Director of National Intelligence James Clapper. Civil rights activists alleged that they feared government prying into their international phone calls and e-mails.

The high court ruled 5-4 that the activists couldn't challenge the surveillance program without first demonstrating it had harmed them. The court's majority deemed the claims too speculative to meet a requirement that injury must be "certainly impending."

That decision was the basis for rulings by separate federal judges in Chicago dismissing data breach cases against Neiman Marcus Group LLC and Barnes & Noble Inc. Lawyers for Barnes & Noble are now fighting an attempt to revive the case.

Vincent Esades, one of the lead lawyers for consumers suing Target, declined to comment on it while his colleague, David Woodward, didn't immediately respond to phone and e-mail messages seeking comment.

Molly Snyder, a spokeswoman for Minneapolis-based Target, declined to address the lawsuits directly while saying in an e- mail that the company continues to take steps to protect customers from cybercrime.

Lawsuits Multiplied

The lawsuits against Target multiplied in the weeks following its disclosures in December and January that credit- and debit-card data for 40 million customers was stolen and that home and e-mail addresses for as many as 70 million people were compromised.

In complaints filed across the nation, customers said the theft left them at risk for unauthorized charges, identity theft, loss of account access, assessment of late fees and credit-score damage. The lawsuits are now consolidated before U.S. District Judge Paul Magnuson in St. Paul.

The consumer lawyers' best shot at keeping their claims alive is to impress upon the judge that frozen bank accounts, unreimbursed late fees and other costs are tangible losses that go beyond the mere threat of future injury at the heart of the Supreme Court case, Hoffman said in an interview.

"These were things they allege that happened to them through no fault of their own," he said. "The case is going to come down to whether the court thinks these injuries are sufficient."

Target's response that the customers don't sufficiently trace their injuries to the company alone "could be a problem for the plaintiffs," he said.

Bank Lawsuits

Banks that were forced to reimburse fraudulent charges and issue new credit and debit cards as a result of the Target breach aren't relying on the same laws as the consumers in their lawsuits against the retailer.

Magnuson refused Target's request to dismiss the bank cases on Dec. 2, saying the financial institutions made a plausible claim for negligence. He added that "imposing a duty on Target in this case will aid Minnesota's policy of punishing companies that do not secure consumers' credit- and debit-card information."

Many consumer cases over data breaches were doomed from the start because lawyers rushed to file them before their clients experienced any consequences, said Stephen Prignano, a lawyer with Edwards Wildman Palmer LLP who defends against class-action lawsuits.

'Persistent Problem'

"That has been a persistent problem," said the attorney, who isn't involved in the Target litigation.

The Supreme Court's "Clapper" decision hasn't made companies invincible to data breach lawsuits.

Consumers who sued a video-game making unit of Sony Corp. and software maker Adobe Systems Inc. defeated company bids to throw out their cases. The federal judges in California who issued those rulings concluded that claims over hacking injuries weren't barred by the reasoning in the Clapper case.

The Sony case in San Diego eventually settled for $19 million, according to court filings. The Adobe case is pending in San Jose.

A Chicago lawyer who represents customers in the Home Depot, Barnes & Noble and Neiman Marcus cases said consumers do face the "clearly impending" risk of harm laid out by the Supreme Court in the Clapper case. Companies and judges that say otherwise are missing the point, he said.

Unauthorized Withdrawals

"There is no need to speculate as to whether the hackers intend to misuse the personal information stolen in the data breaches or whether they will be able to do so," attorney Joseph Siprut said in an e-mail. "The stolen data has already surfaced on the Internet, and class members have incurred actual unauthorized withdrawals from their bank accounts!"

William McGeveran, a University of Minnesota professor specializing in data privacy law, said there's a difference between the ''real problem'' facing victims of hackers and someone's worries that the government may be eavesdropping on them.

"Target plaintiffs have a lot more factual basis for their claims than that," he said.

Whether the no harm-no foul rule in the Clapper case becomes the law of the land for data breach cases will depend on how appeals courts sort out the issues.

"It's possible that the issue is going to go to the Supreme Court in a couple of years," Hoffman said.

Target's Spokeswoman

Target's spokeswoman, Snyder, said customers have told the company "they have moved on" from last year's breach.

"We recognize that the world of advanced cybercrime represents a constantly evolving threat," Snyder said in her e- mail. "We have taken and will continue to take significant steps to protect our guests, team members and company. We also know that this is a challenge not just for Target but for the broader retail industry and beyond."

The case is In Re. Target Corp. Customer Data Security Breach Litigation, 14-md-2522, U.S. District Court, District of Minnesota (St. Paul).

Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the "flag" link in the lower-right corner of the comment box. To find our more, read our FAQ.