[BreachExchange] Eighth Circuit Undoes Target Data Breach Settlement Class

Mon Feb 20 19:39:04 EST 2017

http://www.lexology.com/library/detail.aspx?g=5e3fa3f6-bef6-4fec-b99b-
c28300dfa2b9

The $10 million settlement class in the Target data breach case was
unraveled by the Eighth Circuit Court of Appeals in a recent decision that
will force the district court to address the impact of the Supreme Court’s
decision in Spokeo v. Robins. The Eighth Circuit remanded the case to the
district court, finding that the lower court did not conduct a rigorous
analysis of the record under Rule 23 prior to certifying the settlement
class.

The case stems from the 2013 data breach of consumers’ credit and debit
card information, which consisted of approximately 110 million Target
customers. Following the consolidation of the hundreds of consumer class
action lawsuits that followed, the U.S. District Court for the District of
Minnesota preliminarily certified a settlement class defined as “[a]ll
persons in the United States whose credit or debit card information and/or
whose personal information was compromised as a result of the [Target] data
breach.” Under the terms of the settlement, Target was to create a $10
million settlement fund, which would pay class members with documented
losses first with the remaining balance distributed to members with
undocumented losses. Class members who suffered no loss from the data
breach would not receive any monetary compensation. Target also agreed to
permit an attorney fee award of up to $6.75 million in addition to the $10
million class fund and take on certain improvements in its data security
practices.

Prior to final approval, two class members, Leif Olson and Jim Sciaroni,
objected to the settlement. Olson alleged that certification of the class
was improper due to the intraclass conflict between the named
representatives and class members who, like Olson, had not suffered any
loss and therefore would not receive any compensation, but would release
Target from any claims should the breach someday injure him in the future.
Olson contended that this “zero-recovery subclass” should be certified as a
separate subclass with independent representation.

At the final approval stage, the district court did not analyze Olson’s
objection. Indeed, the district court refused to reconsider whether
certification was proper solely because it had already preliminarily
certified the class, stating “[b]ut the Court certified a settlement class
in the preliminary approval order, and will not revisit that determination
here.” This outright refusal to consider the propriety of class
certification at the final approval stage was the death knell for the case
before the Eighth Circuit.

The Eighth Circuit explained that not only do courts have the duty to
conduct a rigorous analysis to ensure that Rule 23’s prerequisites are met,
but this duty continues throughout the litigation. In reviewing the
district court’s preliminary order, the Eighth Circuit found that it was
lacking in legal analysis, concluding that the court’s remarks were “the
product of summary conclusion rather than rigor.” This lack of legal
analysis constituted an abuse of discretion and prevented the appellate
court from conducting a meaningful review.

The Eighth Circuit highlighted three issues for the district court to
consider on remand. First, whether an intraclass conflict exists when class
members who cannot claim money from a settlement fund are represented by
class members who can. Second, if there is a conflict, whether it prevents
the class representatives from fairly and adequately protecting the
interests of all of the class members. Third, if the class is conflicted,
whether the conflict is fundamental and requires certification of one or
more subclasses with independent representation.

Although these questions are important in any case involving intraclass
conflicts, they underscore a problem arising frequently in data breach
actions—how should the law treat the compromise of data without any
evidence of misuse. This issue is particularly at the forefront following
the Supreme Court’s decision in Spokeo v. Robins. If class members that
suffered no loss from the data breach lack standing under Spokeo, it is
unclear whether such a subclass could exist since neither the
representative nor its members suffered a concrete injury. It also poses
the question as to whether those members should be included in the class at
all. How the district court analyzes these issues on remand may set the
stage for future data breach class actions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170220/7996253b/attachment.html>