Data Breach Litigation – A Web of Federal and State Laws. Part Two


The Target breach illustrates the breadth of applicable state laws when a data breach affects a large company. On December 19, 2013, Target announced that it had been the victim of a criminal attack on its computer network by third-party intruders who stole payment card data and other personal information from Target shoppers who shopped at Target from November 27 through December 18, 2013. The retailer now estimates that about 42 million people had their credit or debit information stolen, with the largest totals coming from California, Texas, and Florida.

Class action lawsuits were brought on behalf of customers across the country, alleging violations of consumer protection statutes of 49 states and the District of Columbia, and data breach notification statutes of 38 states. Judge Magnuson of the District of Minnesota denied Target’s motion to dismiss claims brought under the consumer protection laws of 37 states (dismissing those where the states did not allow private rights of action and/or class actions); and denied the motion to dismiss claims based on data breach notification statutes of 26 states (where the states allow private rights of action). While many consumer protection statutes have general “unfair practices” language similar to federal law, some of the states’ laws are surprisingly specific. Target’s home jurisdiction of Minnesota has a particularly specific rule, the Plastic Card Security Act (PCSA), which imposes liability upon merchants who retain credit card information “subsequent to the authorization of the transaction,” or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. Minn. Stat. § 325E.64.

The class action brought by financial institutions against Target focused entirely on Minnesota law, alleging negligence, violation of the PCSA, and negligence per se because of the PCSA violation. Target tried to limit the application of the Minnesota law to the business it did in Minnesota (only a small part of the transactions at issue), but the court rejected its argument:

The Act does not apply only to business transactions that take place in Minnesota. By its terms, it applies to the data retention practices of any person or entity “conducting business in Minnesota.” Minn. Stat. § 325E.64, subd. 2. Target is a Minnesota company that conducts business in Minnesota, and thus its data retention practices are governed by the Act. And contrary to Target’s assertions, the application of the PCSA to out-of-state transactions does not implicate the dormant Commerce Clause. (citations omitted)

Another example is the Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, 2011 WL 6012598 (S.D. Texas). In the case brought by financial institutions, the company’s argument was the opposite of Target’s. Instead of limiting the application of its home state statute, Heartland argued that the law of its home state, New Jersey, should be the ONLY law applicable (particularly since the court agreed that New Jersey’s Consumer Fraud Act did not protect financial institutions in this circumstance). The court disagreed:

Courts have applied multiple states’ laws in consumer protection cases when choice-of-law rules require doing so. See In re Pharm. Indus. Average Wholesale Price Litig., 252 F.R.D. 83, 93-96 (D. Mass. 2008) (considering the appropriate approach to certifying a consumer class action involving multiple states’ laws). Even if only one state’s law could apply, Rule 8 allows a plaintiff to “set out 2 or more statements of a claim . . . alternatively[.]” Fed. R. Civ. P. 8(d)(2). The rule applies equally to contentions regarding the applicable law. . . 

In Heartland, the court dismissed claims based on 22 other states’ consumer-protection laws, finding the plaintiffs lacked standing to bring claims under the laws of states where neither they nor Heartland were located. But the court upheld or allowed repleading of claims under CA, CO, FL, IL, and TX law.

Finally, a US class action has also been filed in the Ashley Madison website breach, where the Toronto-based company’s breach implicates pointed privacy interests in addition to the economic woes typically associated with data breaches. In what is sure to be the first of many suits, a California class action was filed on behalf of a plaintiff who wishes to remain anonymous, seeking damages based on negligence, negligent infliction of emotional distress, Violation of California’s Unfair Competition Law, and Violation Of California’s Customer Records Act.

If Madison Ashley plaintiffs can overcome the arbitration and choice of law clauses in the website’s terms of use, they will certainly face claims under the laws of other states in addition to California. It is yet to be seen whether “reasonable security procedures” are the same under California law as they are under other states’ statutes. See Cal. Civ. Code § 1798.81(b): “A business that owns or licenses personal information about a California resident [must] implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the person information from unauthorized access, destruction, use, modification, or disclosure.”

Faced with vague “fairness” requirements under federal and state law, as well as some specific state security and breach notification laws, the best a data-collecting company can do to protect itself is to pinpoint all the jurisdictions whose laws may be implicated in a breach. Compliance with FTC checklists, timely review of FTC complaints and settlement agreements in similar cases, and compliance with specific state laws should at least give a company comfort that it is applying best practices, and serve as evidence that the entity acted reasonably under the circumstances.



Allyson Haynes Stuart @

(original publication in

Crystal logo