Modern Data Breach Litigation

By Kate Baxter-Kauf

Modern data breach litigation has emerged in the past few years, in large part following the data breach in November and December 2013 at Target Corporation, a flagship Minnesota company. In the past six years, as data breaches at major retailers, medical and health insurance companies, and tech giants have become evermore complicated, and as the public has become increasingly aware of cybersecurity threats and privacy interests, this litigation has become an ever larger part of the litigation landscape. And for Minnesota consumers, notifications that personal and credit information has been compromised have become simultaneously shocking and commonplace. Not surprisingly, data breach and cybersecurity litigation have also become an emerging market for Minnesota lawyers across all types of practice, including litigation, transactional work, and advising.


Within that landscape, lawsuits brought by data breach victims in an attempt to redress their damages from retailer, medical, and other financial data breaches have become an increasingly large part of the class action landscape. Many non-class action attorneys are aware of those lawsuits because they have received class action notices themselves or because of Article III standing disputes over when and how different victims of data breaches have standing to sue. However, what was an emerging circuit split landscape has evened somewhat: while there are divisions between how different courts decide the dispute, almost all federal appeal courts, including the 8th Circuit, have provided circumstances under which different data breach victims —consumers, patients, financial institutions—have standing. 


Two big, well-known Supreme Court decisions inform data breach litigation and plaintiff standing. The first is Clapper v. Amnesty International USA, which is the most recent recitation for the basic test for establishing the injury-in-fact element of Article III standing, holding that “threatened injury must be certainly impending to constitute injury in fact.”[1] Second, Spokeo, Inc. v. Robins holds that the Constitution’s Case or Controversy Clause requires any plaintiff to allege an injury-in-fact that is “concrete and particularized.”[2] Clapper and its application meant that many courts found that, absent allegations of actual identity theft or other fraud, increased risk of harm alone is insufficient to confer Article III standing.[3] 


Some courts, like those in the Ninth Circuit, on the other hand, found that increased risk of harm, mitigation damages, or other exposure were enough to meet the requirements for Article III standing.[4] In Minnesota and the Eighth Circuit, however, the application of the Article III standing doctrine has played out in only a few cases. In In re Target Corporation Customer Data Security Breach Litigation, for example, Judge Paul Magnuson found cognizable injury for consumer plaintiffs based on allegations that Target’s data breach had resulted in customers incurring unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.[5]The Eighth Circuit, however, in deciding In re SuperValu, Inc., found injury-in-fact for allegations of actual identity theft but required additional information related to increased risk of threat than those originally alleged in the complaint.[6]


Minnesota’s particular relationship to data breach litigation extends beyond the mere timing coincidence of the Target Data Breach in 2013; that case was the first under Minnesota’s Plastic Card Security Act (PCSA).[7] Under the PCSA, any person or entity “conducting business in Minnesota” is forbidden from retaining credit or debit “card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data” after the authorization of the transaction (or, for PIN debit transactions, for more than 48 hours after transaction authorization). If a company violates that requirement then suffers a data breach, the violating company “shall reimburse the financial institution that issued any [credit or debit cards] affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.” This liability shift, which was enacted in 2007 after a previous retailer data breach, provides a powerful incentive for retailers in Minnesota to secure information and use updated credit card technology. The incentive also extends beyond the borders, since at least the Target Corporation Customer Data Security Breach Litigation applied the PCSA to all companies doing business in Minnesota and was not limited to only those business transactions that took place in Minnesota.[8]


For these reasons, Minnesota continues to be at the forefront of modern data breach litigation. It is a good idea for all attorneys to know the basics—even if it is just as a consumer. 


Kate Baxter-Kauf


Ms. Baxter-Kauf is an associate at Lockridge Grindal Nauen. Her  practice is concentrated in the firm’s data breach, antitrust law, business litigation, and securities litigation practice groups. She represents individuals, consumers, financial institutions and small businesses in litigation to protect their rights and, most often, the rights of the class members they seek to represent. Ms. Baxter-Kauf is a 2011 magna cum laude and Order of the Coif graduate of the University of Minnesota Law School.


 133 S. Ct. 1138, 1147 (2013).

[2] 136 S. Ct. 1540 (2016).

[3] These standing issues generally apply to consumers alleging harm. Financial institutions who file similar suits have not always faced these challenges. 

[4] See In re,Inc., 888 F.3d 1020, 1023 (9th Cir. 2018), cert. denied sub nom., Inc. v. Stevens, 139 S. Ct. 1373, 203 L. Ed. 2d 609 (2019).

[5] See 66 F. Supp. 3d 1154 (D. Minn. 2014).

[6] See 870 F.3d 763 (8th Cir. 2017). The Ninth Circuit in Zappos noted that this was not really a circuit split: “The Eighth Circuit did hold in In re SuperValu, Inc., Customer Data Security Breach Litigation that allegations of the theft of credit card information were insufficient to support standing. But no other personally identifiable information (PII), such as addresses, telephone numbers, or passwords, was stolen in that case. The Eighth Circuit acknowledged cases like Attias (in the D.C. Circuit) and Remijas (in the Seventh Circuit) but opined that standing questions in data breach cases “ultimately turn on the substance of the allegations before each court…particularly, the types of data allegedly stolen.” Zappos, 888 F.3d at 1026 (citing SuperValu, 870 F.3d at 766, 769–72?) (internal citations omitted).

[7] See Minn. Stat. § 325E.64. 

[8] See In re Target Corp. Customer Data Sec. Breach Litig., 64 F. Supp. 3d 1304 (D. Minn. 2014).

Managing Editor
Elsa Cournoyer

Executive Editor

Joseph Satter