Plaintiffs issued credit and debit cards to consumers who, in turn, used those cards at Target stores during the period of the 2013 data breach. Alleging negligence, and violations of Minnesota’s Plastic Security Card Act, the putative class representatives suffered injury in the form of replacing cards for their customers, reimbursing fraud losses, and taking various other remedial steps in response to the Target data breach.
Applying Minnesota Law, the district court noted that: “Minnesota’s contacts with this action are legion: Target is headquartered in Minnesota; its computer servers are located in Minnesota; the decisions regarding what steps to take or not take to thwart malware were made in large part in Minnesota. These contacts are sufficient to allow application of Minnesota law to the claims of non-Minnesota class members without offending either the Due Process Clause or the Full Faith and Credit Clause…. Target ‘can not claim surprise by the application of Minnesota law to conduct emanating from Minnesota.’ And applying Minnesota law undoubtedly comports with putative Plaintiffs’ expectations: when dealing with a Minnesota corporation such as Target, it is possible and in fact likely that Minnesota law will apply to those dealings.”
The court also rejected Target’s challenge “that Plaintiffs lack standing because they have not established that all members of the Plaintiff class have suffered an injury in fact. Although each member of the Plaintiff class must of course have standing to pursue its claims—that is, must have suffered an injury in fact that is capable of redress by a favorable decision—that every financial institution whose customers’ cards were stolen in the breach suffered an injury in fact is readily apparent.”
In re: Target Corporation Customer Data Security Breach Litigation, MDL No.14-2522, 2015 WL 5432115 (D.Minn. Sept. 15, 2015).