In re: Target Corporation Customer Data Security Breach Litigation — instructive 8th Circuit case re class certification

target security breachJim Sciaroni  v.  Target Corporation Civil case – Class Action in Target Security Breach. The district court’s statement in the class certification order regarding Rule 23(a)(4)’s representation adequacy requirement are conclusions, not reasons, and on their own do not constitute the “rigorous analysis” of whether certification was proper in this case; the court has a continuous duty to reevaluate certification throughout the litigation and the court’s order rejecting an allegation of intraclass conflict made before final certification improperly refused to reconsider the issue solely because it had already certified the class; as a result the district court abused its discretion by failing to rigorously analyze the propriety of certification, especially once new arguments regarding the adequacy of representation were raised after preliminary certification, and the matter is remanded to the district court for it to conduct and articulate a rigorous analysis of Rule 23(a)’s certification prerequisites as applied to this case; “costs on appeal” for Rule 7 purposes include only those costs that a prevailing appellate litigant can recover under a specific rule or statute; as a result the bond set in this matter, which included delay-based administrative costs, is reversed and the matter remanded with directions to reduce the Rule 7 bond to reflect only those costs appellee will recover should they succeed in any issues remaining on appeal following the district court’s reconsideration of class certification. The panel retains jurisdiction over any remaining issues following the district court’s disposition on remand. The district court shall certify its findings and conclusions to this court within 120 days.

02/01/2017  Jim Sciaroni  v.  Target Corporation

   U.S. Court of Appeals Case No:  15-3909 and No:  15-3912 and No:  16-1203 and No:  16-1245 and No:  16-1408

   U.S. District Court for the District of Minnesota – Minneapolis

   [PUBLISHED] [Shepherd, Author, with Benton, Circuit Judge, and Strand, District Judge]

Download In re Target Corporation Customer Data Security Breach Litigation

© Copyright 2017 Armstrong Teasdale LLP. All rights reserved

Rosa Parks Name and Likeness Free for Use?

Rosa and Raymond Parks Institute for Self Development v. Target Corp.

Addressing the balance between privacy rights and matters of public interest, the U.S. Court of Appeals for the Eleventh Circuit affirmed the district court’s dismissal of the plaintiff’s complaint, holding that the defendant was shielded by the First Amendment from a lawsuit claiming the retailer violated the publicity rights of civil rights icon Rosa Parks by selling various products that included the plaintiff’s picture.Rosa and Raymond Parks Institute for Self Development v. Target Corp., Case No. 15-10880 (11th Cir., Jan. 4, 2016) (Rosenbaum, J.).

Target Corporation (the defendant), a national retail chain, sold books, a movie and a plaque that included pictures of Rosa Parks, an icon of the civil rights movement who, in 1955, refused to surrender her seat to a white passenger on a racially segregated Montgomery, Alabama bus. The Rosa and Raymond Parks Institute for Self Development (the plaintiff) owns the right and likeness of Rosa Parks. The plaintiff filed a complaint against the defendant, alleging unjust enrichment, right of publicity and misappropriation under Michigan common law for the defendant’s sales of all items using the name and likeness of Rosa Parks. The plaintiff complained that by selling the products, the defendant had unfairly and without the plaintiff’s prior knowledge, or consent, used Rosa Parks’ name, likeness and image as used on the products. The plaintiff further argued that the defendant promoted and sold the products using Rosa Parks’ name, likeness and image for the defendant’s own commercial advantage. After the defendant filed a motion for summary judgment, the district court dismissed the complaint. The plaintiff appealed.

On appeal, the 11th Circuit, sitting in diversity, applied Alabama’s choice-of-law rules, which holds that the procedural law of the forum state should be applied, while the law of the state in which the injury occurred governs the substantive rights of the case. Accordingly, the 11th Circuit applied the procedural rules of Alabama and the substantive law of Michigan.

In Michigan, the common-law right of privacy protects against four types of invasions of privacy: intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; public disclosure of embarrassing private facts about the plaintiff; publicity which places the plaintiff in a false light in the public eye; and appropriation for the defendant’s advantage, of the plaintiff’s name or likeness. The right of privacy is not absolute, and Michigan courts have long recognized that individual rights must yield to the qualified privilege to communicate on matters of public interest.

Applying Michigan law, the Court affirmed the district court’s dismissal of the plaintiff’s complaint, concluding that “the use of Rosa Parks’ name and likeness in the books, movie, and plaque is necessary to chronicling and discussing the history of the Civil Rights Movement” and that these matters therefore are protected by Michigan’s qualified privilege. As the 11th Circuit noted, “it is difficult to conceive if a discussion of the Civil Rights Movement without reference to Rosa Parks and her role in it.”

© 2016 McDermott Will & Emery

Target Faces First Ever Union

The Wall Street Journal reports the NLRB has rejected an appeal from Target Corp. seeking to invalidate an employee vote in favor of unionization.  In September, a “micro-unit” of about one dozen pharmacy workers in Brooklyn, NY voted in favor of unionization.  The company appealed, but the NLRB affirmed the vote yesterday.

As reported in the article, “The group of less than a dozen employees in Brooklyn, N.Y., would be the first union among Target’s nearly 350,000 employees, marking a significant milestone for a company that has fought to keep unions out of its stores.”  The complete article can be found here.

© 2015 BARNES & THORNBURG LLP

Will Cyberinsurance Cover Target's $19 Million Mastercard Settlement?

Barnes & Thornburg LLP Law Firm

Another credit card in the mail?

If you’re reading this post, you’ve probably received a new credit or debit card in the mail, attached by rubber cement to a cover letter explaining that your card number could have been compromised – so you ended up with replacement cards. You might even have received new cards more than once over the past five years. Perhaps you even received a new card with an explanation that after the data breach at Target Corporation, your “issuing bank” – the bank that issued you the credit or debit card – decided to send you a new card. And maybe you signed your card, called to activate it, replaced your old card, and didn’t give a second thought to it. After all, consumers generally are not financially responsible for fraudulent charges and likely did not pay to get the shiny new piece of plastic in the mail.

What are card brand liabilities?

The payment card brands, however, view such incidents differently than do individual consumers. The payment card brands frequently pursue retailers, either directly or by means of a payment processor. They allegedly do so on behalf of the issuing banks and the losses that the issuing banks allegedly suffered as a result of the data breach.[1] The brands allege that the retailers are responsible for the fraudulent charges that were incurred and the amounts spent to replace payment cards. As Target explained in its 2014 Form 10-K:

“In the event of a data breach where payment card data is or may have been stolen, the payment card networks’ contracts purport to give them the ability to make claims for reimbursement of incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred as a result of the event.”[2]

Those amounts can run into the millions of dollars (Card Brand Liabilities). Card Brand Liabilities also may include amounts for alleged failures to maintain certain levels of computer security required by contract (so-called PCI-DSS compliance).[1] The amounts owed for alleged fraudulent charges and replacement of compromised credit cards often dwarfs the amounts of fines for alleged PCI non-compliance.[2] Some incidents that involved more than 1 million allegedly exposed card numbers have resulted in Card Brand Liabilities in the millions of dollars.[3]

Target’s card brand liabilities…and pending settlement of them with MasterCard

Target disclosed that three out of the four payment card brands made written demands for Card Brand Liabilities, and that it expected the fourth brand to do so as well.[4] The total amount of Target’s potential Card Brand Liabilities is unclear, but Target did disclose that it had incurred $252 million of data breach-related expenses, an amount that accounts for Card Brand Liabilities.[5]

On April 15, 2015, Target announced that it had reached a settlement of its Card Brand Liabilities with MasterCard for up to $19 million.[6] Interestingly, Target explained that the settlement is contingent upon the issuing banks, which allegedly reimbursed the fraudulent charges and issued the new cards, agreeing to accept payment via the MasterCard settlement and the issuing banks dropping claims against Target.[7] This requirement is fascinating, as issuing banks have filed a putative class action against Target directly, alleging that they suffered losses as a result of Target’s data breach.[8] It may be that the MasterCard settlement resolves at least part of the claims at issue in the issuing bank litigation.

Will Target’s cyberinsurance cover its card brand liability settlement?

Now for the question you’ve been waiting for: will Target’s insurance policies cover its $19 million settlement with MasterCard? Probably.

Without commenting on the correctness of the position, consider that one underwriter has written that Card Brand Liabilities are contract-based indemnities and may be excluded from cyberinsurance coverage, with emphasis added:[9]

Many policy forms in the marketplace directly exclude contractual indemnities and liability, including that which stems from merchant service agreements. Some policy forms initially grant coverage for breach of contract claims, but then add exclusions concerning key components of this coverage. In addition, some policy forms exclude breach of contract claims with some very narrow carvebacks to the exclusionary wording that may not help the insured much in the event of a payment card breach.

Although most privacy/security insurance policies grant the insured coverage for situations in which they need to incur the first-party costs to notify individuals and extend insureds credit monitoring services, not all will directly respond to the breach of, or the indemnities contained in, a merchant services agreement.

Without commenting on the merits of it, consider an opposing view that Card Brand Liabilities could be treated as common law claims for purposes of insurance coverage, not liabilities created by contract, and the payment card brands are demanding amounts as agents for the issuing banks. Target may not have to address whether its Card Brand Liabilities were created by merchant services agreement contracts or are common law liabilities, because Target reportedly has $50 million in coverage for this exact type of loss:

“To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks.”[10] 

How would your insurance cover card brand liabilities? Even if you have cyberinsurance, does the policy address card brand liabilities? Does your insurance carrier’s claim handler view the losses as liabilities under a merchant services agreement contract? Or as common law liabilities? If it’s the former, are there exclusions for liabilities allegedly assumed in a merchant services agreement contract? Or sublimits on the total policy limit (making just a fraction of coverage available)?

Consider using the Target announcement as a perfect opportunity to review your insurance – including your cyberinsurance – policies closely to figure out whether you would have full coverage for these losses. The last thing that you want to face is the prospect of your insurer denying coverage for millions of dollars in losses after you were told that buying cyberinsurance would be a panacea for all things cyberrisk.


[1] See, e.g.First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 WL 5858794, at *2 (Del. Super. Oct. 30, 2013), rearg. denied, 2013 WL 6407603 (Del. Super. Dec. 4, 2013).

[2] Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. 2014) (over $13 million in liabilities overall, but only $10,000 in “fines for failing to ensure Genesco’s PCI DSS compliance”), opinion amended and superceded on other grounds, 2014 WL 935329 (M.D. Tenn. Mar. 10, 2014).

[3] See, e.g.Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 691 F.3d 821, 824-25 (6th Cir. 2012) (retailer suffered more than $4 million in Card Brand Liabilities after credit card-based data incident); First Bank of Del., 2013 WL 5858794, at *2 (bank and debit card processor paid $1.4 million in compensatory damages due to Card Brand Liabilities after data incident of retailer with whom company did business); Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. Jan. 14, 2014) ($13.3 million in Card Brand Liabilities after a credit card-based data incident).

[4] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

[5] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

[6] Target, Target Announces Settlement Agreement with MasterCard; Estimated Costs Already Reflected in Previously Reported Results (Apr. 15, 2015), available here.

[7] Id.

[8] See In re Target Corp. Customer Data Security Breach Litigation (Financial Institution Cases), MDL No. 14-2522 (PAM/JJK), slip op. (D. Minn. Dec. 2, 2014). A copy of the decision is available via Google Scholar.

[9] Matt Donovan, Banking on Credit: Merchants bear the brunt of data breach risks in the hospitality industry, PropertyCasualty 360º (Dec. 1, 2013), available at http://www.propertycasualty360.com/2013/12/01/banking-on-credit?t=commercial (emphasis added).

[10] Target, , Form 10-Q, Target Corporation SEC Filings (Nov. 26, 2014), available here.

[1] MasterCard’s Security Rules and Procedures could be read to suggest that MasterCard is acting as an agent for issuing banks and demands against retailers are made on behalf of the issuing banks in whole or in part. MasterCard, Security Rules and Procedures – Merchant Edition, § 10.2.5.3 (Feb. 5, 2015) available at http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf.

[2]Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

ARTICLE BY

Will Cyberinsurance Cover Target’s $19 Million Mastercard Settlement?

Barnes & Thornburg LLP Law Firm

Another credit card in the mail?

If you’re reading this post, you’ve probably received a new credit or debit card in the mail, attached by rubber cement to a cover letter explaining that your card number could have been compromised – so you ended up with replacement cards. You might even have received new cards more than once over the past five years. Perhaps you even received a new card with an explanation that after the data breach at Target Corporation, your “issuing bank” – the bank that issued you the credit or debit card – decided to send you a new card. And maybe you signed your card, called to activate it, replaced your old card, and didn’t give a second thought to it. After all, consumers generally are not financially responsible for fraudulent charges and likely did not pay to get the shiny new piece of plastic in the mail.

What are card brand liabilities?

The payment card brands, however, view such incidents differently than do individual consumers. The payment card brands frequently pursue retailers, either directly or by means of a payment processor. They allegedly do so on behalf of the issuing banks and the losses that the issuing banks allegedly suffered as a result of the data breach.[1] The brands allege that the retailers are responsible for the fraudulent charges that were incurred and the amounts spent to replace payment cards. As Target explained in its 2014 Form 10-K:

“In the event of a data breach where payment card data is or may have been stolen, the payment card networks’ contracts purport to give them the ability to make claims for reimbursement of incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred as a result of the event.”[2]

Those amounts can run into the millions of dollars (Card Brand Liabilities). Card Brand Liabilities also may include amounts for alleged failures to maintain certain levels of computer security required by contract (so-called PCI-DSS compliance).[1] The amounts owed for alleged fraudulent charges and replacement of compromised credit cards often dwarfs the amounts of fines for alleged PCI non-compliance.[2] Some incidents that involved more than 1 million allegedly exposed card numbers have resulted in Card Brand Liabilities in the millions of dollars.[3]

Target’s card brand liabilities…and pending settlement of them with MasterCard

Target disclosed that three out of the four payment card brands made written demands for Card Brand Liabilities, and that it expected the fourth brand to do so as well.[4] The total amount of Target’s potential Card Brand Liabilities is unclear, but Target did disclose that it had incurred $252 million of data breach-related expenses, an amount that accounts for Card Brand Liabilities.[5]

On April 15, 2015, Target announced that it had reached a settlement of its Card Brand Liabilities with MasterCard for up to $19 million.[6] Interestingly, Target explained that the settlement is contingent upon the issuing banks, which allegedly reimbursed the fraudulent charges and issued the new cards, agreeing to accept payment via the MasterCard settlement and the issuing banks dropping claims against Target.[7] This requirement is fascinating, as issuing banks have filed a putative class action against Target directly, alleging that they suffered losses as a result of Target’s data breach.[8] It may be that the MasterCard settlement resolves at least part of the claims at issue in the issuing bank litigation.

Will Target’s cyberinsurance cover its card brand liability settlement?

Now for the question you’ve been waiting for: will Target’s insurance policies cover its $19 million settlement with MasterCard? Probably.

Without commenting on the correctness of the position, consider that one underwriter has written that Card Brand Liabilities are contract-based indemnities and may be excluded from cyberinsurance coverage, with emphasis added:[9]

Many policy forms in the marketplace directly exclude contractual indemnities and liability, including that which stems from merchant service agreements. Some policy forms initially grant coverage for breach of contract claims, but then add exclusions concerning key components of this coverage. In addition, some policy forms exclude breach of contract claims with some very narrow carvebacks to the exclusionary wording that may not help the insured much in the event of a payment card breach.

Although most privacy/security insurance policies grant the insured coverage for situations in which they need to incur the first-party costs to notify individuals and extend insureds credit monitoring services, not all will directly respond to the breach of, or the indemnities contained in, a merchant services agreement.

Without commenting on the merits of it, consider an opposing view that Card Brand Liabilities could be treated as common law claims for purposes of insurance coverage, not liabilities created by contract, and the payment card brands are demanding amounts as agents for the issuing banks. Target may not have to address whether its Card Brand Liabilities were created by merchant services agreement contracts or are common law liabilities, because Target reportedly has $50 million in coverage for this exact type of loss:

“To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks.”[10] 

How would your insurance cover card brand liabilities? Even if you have cyberinsurance, does the policy address card brand liabilities? Does your insurance carrier’s claim handler view the losses as liabilities under a merchant services agreement contract? Or as common law liabilities? If it’s the former, are there exclusions for liabilities allegedly assumed in a merchant services agreement contract? Or sublimits on the total policy limit (making just a fraction of coverage available)?

Consider using the Target announcement as a perfect opportunity to review your insurance – including your cyberinsurance – policies closely to figure out whether you would have full coverage for these losses. The last thing that you want to face is the prospect of your insurer denying coverage for millions of dollars in losses after you were told that buying cyberinsurance would be a panacea for all things cyberrisk.


[1] See, e.g.First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 WL 5858794, at *2 (Del. Super. Oct. 30, 2013), rearg. denied, 2013 WL 6407603 (Del. Super. Dec. 4, 2013).

[2] Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. 2014) (over $13 million in liabilities overall, but only $10,000 in “fines for failing to ensure Genesco’s PCI DSS compliance”), opinion amended and superceded on other grounds, 2014 WL 935329 (M.D. Tenn. Mar. 10, 2014).

[3] See, e.g.Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 691 F.3d 821, 824-25 (6th Cir. 2012) (retailer suffered more than $4 million in Card Brand Liabilities after credit card-based data incident); First Bank of Del., 2013 WL 5858794, at *2 (bank and debit card processor paid $1.4 million in compensatory damages due to Card Brand Liabilities after data incident of retailer with whom company did business); Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. Jan. 14, 2014) ($13.3 million in Card Brand Liabilities after a credit card-based data incident).

[4] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

[5] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

[6] Target, Target Announces Settlement Agreement with MasterCard; Estimated Costs Already Reflected in Previously Reported Results (Apr. 15, 2015), available here.

[7] Id.

[8] See In re Target Corp. Customer Data Security Breach Litigation (Financial Institution Cases), MDL No. 14-2522 (PAM/JJK), slip op. (D. Minn. Dec. 2, 2014). A copy of the decision is available via Google Scholar.

[9] Matt Donovan, Banking on Credit: Merchants bear the brunt of data breach risks in the hospitality industry, PropertyCasualty 360º (Dec. 1, 2013), available at http://www.propertycasualty360.com/2013/12/01/banking-on-credit?t=commercial (emphasis added).

[10] Target, , Form 10-Q, Target Corporation SEC Filings (Nov. 26, 2014), available here.

[1] MasterCard’s Security Rules and Procedures could be read to suggest that MasterCard is acting as an agent for issuing banks and demands against retailers are made on behalf of the issuing banks in whole or in part. MasterCard, Security Rules and Procedures – Merchant Edition, § 10.2.5.3 (Feb. 5, 2015) available at http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf.

[2]Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

ARTICLE BY

Target Corp. v. Destination Maternity Corp., Final Written Decision IPR2013-00532

Drinker Biddle & Reath LLP a leading law firm with a national footprint

Takeaway: Where neither party provides an interpretation of a term that provides additional clarity, the Board will give the term its plain and ordinary meaning.

In its Final Written Decision, the Board found that Petitioner had shown by a preponderance of the evidence that all challenged claims (claims 1, 2, 5, 6, 10, 11, and 15-17) of the ’531 patent are unpatentable. The ’531 patent “relates to a garment worn during different stages of pregnancy and different stages of postpartum body changes.”

The Board addressed claim construction, stating that claims in an unexpired patent are given their broadest reasonable construction in light of the specification of the patent. The Board first analyzed the term “just beneath the wearer’s breast area.” Patent Owner argued that the term means “beneath the location of the breasts by a very small margin.” However, the term “very small margin” does not provide any further clarity. The Board determined that because neither party offered a construction that provides additional clarity, the plain and ordinary meaning will be given. Also, the Board determined that the term is a term of approximation and that a garment may satisfy claim 1 for one wearer but not another because of differences in the wearers’ body types.

The Board then analyzed the term “different body types” used in claims 2 and 17. Although Patent Owner did not propose constructions for this limitation, its patentability arguments advance an implicit construction of “different body types” that requires an unspecified amount of difference between said body types. The Board determined that the broadest reasonable construction of “different body types” means “two or more body types that are not identical.”

The Board then analyzed the term “an elastic fabric that is contractible elastically to cover an abdomen during different stages of postpartum body changes” from claim 5. Although Patent Owner did not propose constructions for this limitation, the Board determined that its patentability arguments advanced an implicit construction that claim 5 requires a specific, yet unspecified, minimum amount of contractability. However, the specification does not specify any minimum amount of contractability and does not describe or identify any stages of postpartum body changes. Accordingly, the Board determined that the broadest reasonable construction of “during different stages of postpartum body changes” means “during any postpartum body change of any wearer,” which means that the fabric does not have to contract to cover postpartum body changes of every potential wearer or to cover all postpartum body changes of any wearer.

The Board next addressed the asserted grounds of unpatentability. Addressing anticipation based on a JC Penney catalog for fold-over panel jeans, the Board disagreed with Patent Owner’s assertion that the product shown in the catalog did not disclose a panel extending “high enough on the wearer’s body.” The Board found that the JC Penney catalog disclosed a panel substantially covering the belly region and noted that it was the belly region, and not the panel, that the claims require to extend to just beneath the wearer’s breast area. Thus, the Board was persuaded that claim 1 was anticipated by the JC Penney reference. Also, the Board disagreed with Patent Owner’s assertion that Petitioner has failed to prove that the panel of the JCP fold-over panel jeans stretches or expands enough to conform to different body types, because the claims do not require any quantified amount of stretching or expansion and the term “different body types” includes any two or more body types that are not identical. The Board was also not persuaded by Patent Owner’s argument that the panel of the JCP fold-over panel jeans is not described as being contractible as allegedly recited in claim 5. The Board indicated that contraction is always present where there is contraction, and the claims did not require any specific amount of contraction.

With respect to dependent claims 6, 11, 15, and 16, Petitioner asserted obviousness based on the JC Penney catalog applied to claim 1 in view of JC Penney Bootcut jeans. Patent Owner alleged nonobviousness based on the secondary consideration of commercial success. However, Patent Owner failed to link the alleged commercial success of the products to the inventions of claims 6, 11, 15, and 16. Specifically, Patent Owner’s witness conceded that the commercial success of Patent Owner’s products had nothing to do with the unique characteristics of claims 6 and 11, which add limitations directed exclusively to features of the garment lower portion.

Target Corp. v. Destination Maternity Corp., IPR2013-00532
Paper 76: Final Written Decision
Dated: February 12, 2015
Patent: RE43,531 E
Before: Jennifer S. Bisk, Michael J. Fitzpatrick, and Mitchell G. Weatherly
Written by: Fitzpatrick
Related Proceedings: Destination Maternity Corp. v. Target Corp., Case No. 2:12-cv-05680-AB (E.D. Pa.); IPR2013-00531; IPR2014-00508; IPR2013-00530; IPR2013-00533; IPR2014-00509

ARTICLE BY

OF

Target Wins Rehearing of IPR Joinder Decision with Expanded Panel

Schwegman Lundberg Woessner

Last fall, the Patent Trial and Appeal Board (PTAB or Board) interpreted the IPR joinder provision, 35 U.S.C. § 315(c), to require joinder requests by a non-party to an ongoing proceeding.  (Target Corp. v. Destination Maternity Corp., IPR2014-00508 and IPR2014-00509.)  Prior to that decision,  the Board had interpreted § 315(c) to allow for issue joinder by the petitioner of the original proceeding (see, for example Microsoft v. Proxyconn, IPR2013- 00109).  Of course, joinder was decided on a case-by-case basis, but had not previously been denied because the request was made by the petitioner of the original proceeding.

Target Corp. filed rehearing requests in both affected IPR proceedings in an effort to have the Board reconsider its interpretation of  35 U.S.C. § 315(c) with an expanded panel.  Target’s arguments are quite clearly stated in its Motion for Rehearing.  The Board granted Target’s rehearing request.  In a 4:3 decision,  the majority agreed that § 315(c) had been overly narrowly interpreted in the prior decision:

Turning now to the merits of the Request for Rehearing, the contention at the heart of Petitioner’s request for rehearing is that the denial of its Motion for Joinder was “based on an erroneously narrow interpretation of 35 U.S.C. § 315(c).” Paper 22, 1. We agree with Petitioner.

The majority read § 315(c)’s reference to “any person who properly files a petition under section 311” in conjunction with § 311′s requirement that the petition filer not be the patent owner, to broadly interpret § 315(c) to include any person except the patent owner.  This interpretation is at odds with the dissent’s analysis, which reads § 315(c)’s reference to “may join as a party” to literally require a new party for joinder:

The statute under which Petitioner seeks relief provides:

(c) JOINDER.—If the Director institutes an inter partes review, the Director, in his or her discretion, may join as a party to that inter partes review any person who properly files a petition under section 311 that the Director, after receiving a preliminary response under section 313 or the expiration of the time for filing such a response, determines warrants the institution of an inter partes review under section 314.

35 U.S.C. § 315(c) (emphasis added). The statute does not refer to the joining of a petition or new patentability challenges presented therein. Rather, it refers to the joining of a petitioner (i.e., “any person who properly files a petition”). Id. Further, it refers to the joining of that petitioner “as a party to [the instituted] inter partes review.” Id. Because Target is already a party to the proceeding in IPR2013-00531, Target cannot be joinedto IPR2013-00531.

While the majority decision does align with panel decisions on joinder prior to Target, one must ask whether this issue is finally resolved by this expanded panel decision.  For example, what happens if another panel does not follow this interpretation § 315(c)?  Or suppose this decision is appealed; would the Federal Circuit reverse a Board decision on joinder as it relates to institution given its recent interpretation of 35 U.S.C. § 314(d) in In re Cuozzo Speed Technologies? (“We conclude that § 314(d) prohibits review of the decision to institute IPR even after a final decision. . . . Section 314(d) provides that the decision is both ‘nonappealable’ and ‘final,’ i.e., not subject to further review. 35 U.S.C. § 314(d).”)  Would a Federal Circuit appeal have to be in the form of a petition for writ of mandamus?  If so, how would that square with the mandamus decisions in In re Dominion Dealer Solutions, LLC, 749 F.3d 1379, 1381 (Fed. Cir. 2014)(mandamus relief not available to challenge the denial of a petition for IPR) and in In re Proctor & Gamble Co., 749 F.3d 1376, 1378–79 (Fed. Cir. 2014)(mandamus relief not available to provide immediate review of a decision to institute IPR)?

ARTICLE BY

OF

Consumer Claims Survive Motion to Dismiss in Target Data Breach Class Action

Mintz Levin Law Firm

A recent ruling by Federal District Judge Paul Magnuson will permit most of the consumer claims in the Target data breach litigation to survive Target’s motion to dismiss.  This most recent ruling follows on the heels of the court’s December 2 decision partially denying Target’s motion to dismiss consolidated complaint of the banks that issued the credit and debit cards that were subject to the breach.  The late 2013 data theft that gave rise to the consumer and issuer bank claims was caused by malware placed by hackers on Target’s point-of-sale (“POS”) terminals.  The malware allowed the hackers to record and steal payment card data as customers’ credit or debit cards were swiped.  In the consolidated consumer complaint, 117 named plaintiffs allege that Target wrongfully failed to prevent or timely disclose the data theft.  Plaintiffs also contend that Target failed to disclose the purported insufficiency of Target’s data security practices.  The consumers assert claims under the laws of 49 states and the District of Columbia for negligence, breach of contract, breach of data notification statutes and violation of state unfair trade practice statutes.  The consumer complaint also purports to assert those claims on behalf of a putative plaintiff class consisting of every Target customer whose credit or debit card information was stolen in the data breach.The court’s latest ruling rejected arguments by Target as to standing and damages that would have required dismissal of the consumer claims in their entirety.  The court did state, however, that Target can revisit the question of whether plaintiffs had sustained actionable injuries after discovery has concluded.  And, even though most of the consumer Plaintiffs’ claims survive, the court did rule that that certain of the claims alleged under particular states’ laws should be dismissed.  As is true of the court’s denial of Target’s motion to dismiss the issuer banks’ consolidated complaint, the denial of the motion to dismiss does not resolve the merits of the surviving consumer claims.  Like the surviving issuer bank claims, the consumer claims that were not dismissed will now be the subject of extensive discovery and further motion practice relating to class certification and summary judgment.

Court rejects Target’s arguments on standing and injury:  As is common in data breach cases, Target’s primary ground for seeking dismissal of the consumer claims was lack of standing due to the absence of actionable consumer injury.  In its motion to dismiss, Target argued that none of the plaintiffs had alleged a present injury sufficient to establish “case or controversy” standing under Article III of the United States Constitution.  Specifically, Target contended that none of plaintiffs’ alleged present injuries either constituted a present harm to plaintiffs or was fairly traceable to the theft of payment card data.  Target’s central argument was that allegations that unauthorized charges had been made on plaintiffs’ payment cards did not plead actionable injury because plaintiffs did not – indeed, likely could not – allege that such charges had not been or would not be reimbursed by the card issuing banks.  Target further argued that other alleged injuries could not fairly be traced to theft of payment card data because they could only have arisen from unrelated conduct (such as identity theft resulting from a plaintiff’s stolen social security number) or were not fairly traceable to the data theft itself (such as loss of access to funds based on plaintiffs’ own voluntary closing of accounts).

The court gave these arguments cursory treatment.  Judge Magnuson disagreed with Target’s injury analysis, finding that “Plaintiffs have alleged injury” in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”  Target contended that such alleged injuries are insufficient to confer standing because “Plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts . . . .”  The court rejected this argument, stating that Target had “set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage.”  In so ruling, however, Judge Magnuson merely deferred to another day a decision on whether the injuries alleged were indeed fairly traceable to the alleged wrong doing.  Despite concluding that Plaintiffs’ allegations were “sufficient at this stage to plead standing,” the court nonetheless stated that, “[s]hould discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.”  Thus, it remains open to Target to show that neither Plaintiffs nor putative class members suffered injuries fairly traceable to the data breach.

The court’s finding that Plaintiffs had alleged actionable injuries also supported its denial of Target’s request that the Court dismiss claims asserted under 26 state consumer protection laws that required allegation of pecuniary injury.  Similarly the court rejected Target’s argument that Plaintiffs’ negligence claims should be dismissed for failure to allege cognizable damages.

Court dismisses some state consumer protection law claims; most survive.  Plaintiffs brought unfair or deceptive trade practice claims under the consumer protection statutes of 49 states and the District of Columbia.  The court dismissed claims under Wisconsin law because the subject statute contains no private right of action.  The court also dismissed claims asserted on behalf of absent class members under the consumer protection laws of Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, Tennessee and Utah, finding that the laws of those states, which preclude the assertion of consumer protection claims by means of a class action, “define the scope of the state-created right” and preclude certification of a class to pursue such claims (quoting Shady Grove Orthopedic Assocs. v. Allstate Ins. Co., 559 U.S. 393, 423 (2010)).  Otherwise, as noted above, Judge Magnuson found that plaintiffs’ allegations, including their allegations of injury, asserted actionable class and individual claims under the remaining states’ consumer protection statutes, and declined to dismiss such claims.

Certain data breach notice claims survive motion to dismiss.  Plaintiffs asserted claims against Target under the date breach notification statutes of 38 states, alleging that Target had failed to disclose the data breach as soon as required under those laws.  As with plaintiffs’ other claims, the court rejected as premature Target’s argument that plaintiffs had not alleged any actionable damages flowing from alleged violations of state data breach notification statutes.  Certain of Target’s arguments for dismissal based on statutory language prevailed.  Plaintiffs conceded that the data breach statutes in Florida, Oklahoma, and Utah did not permit a private right of action, and voluntarily withdrew those claims.  Where the applicable statutes provided only for enforcement by the state attorney general (as is true in Arkansas, Connecticut, Idaho, Massachusetts, Minnesota, Nebraska, Nevada and, Texas), the court dismissed Plaintiffs’ claims.  Where the remedies available under other states’ laws were non-exclusive or ambiguous –as was the case in Colorado, Delaware, Iowa, Kansas, Michigan and Wyoming – the court declined to dismiss Plaintiffs’ claims.  Where applicable state laws were silent as to the authority to enforce the enactment, the court inferred a private right of enforcement in all states except Rhode Island, where controlling authority holds that if a statute does not expressly provide for a private cause of action, such a right cannot be inferred.  As to all other states, the court agreed with plaintiffs’ argument that there is either a permissive cause of action or that there is a private right to enforce data breach notification statues under applicable state consumer protection statutes.

Negligence claims survive where not barred under the economic loss doctrine:  Actual damages is a required element of a common law negligence claim.  The court’s rejection of Target’s argument that Plaintiffs had failed to allege actionable injury precluded dismissal of Plaintiffs’ negligence claims in their entirety for failure to plead damages.  Under certain states’ laws, however, the so-called “economic loss doctrine” requires dismissal of claims for negligence where the alleged injury consists solely of economic loss rather than personal injury or property damage.  Following state authority, the court invoked the economic loss doctrine to dismiss negligence claims based on the economic loss rule under Alaska, California, Georgia, Illinois, Iowa and Massachusetts law.  The court declined to dismiss negligence claims under District of Columbia, Idaho and New Hampshire law, holding that precedent in those jurisdictions required additional factual development to determine whether there exists any special duty that would vitiate the economic loss doctrine.  Finally, the court held that the facts pleaded in the Complaint satisfied the exception to the economic loss doctrine applicable under New York and Pennsylvania law where there is a duty to protect from the specific harm alleged.

Breach of implied contract claims survive:  Judge Magnuson held that the existence of an implied contract turns on issue of fact that cannot be resolved at the motion to dismiss stage because “a jury could reasonably find that a customer’s use of a credit or debit card to pay at a retailer may include the implied contract term that the retailer “will take reasonable measures to protect the information” on those cards (citing In re Hannaford Bros. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 119 (D. Me. 2009)).

Breach of contract claim dismissed without prejudice:  The Complaint alleges that Target violated the terms of the card agreement for the Target REDcard, in which Target states that it “use[s] security measures that comply with federal law.”  The Complaint, however, fails to specify the federal law with which Target purportedly failed to comply.  Accordingly, the court dismissed that claim without prejudice, allowing Plaintiffs leave to replead that claim to specify, if possible, the state law that had been violated.

Bailment claim dismissed:  A common law bailment claim consists of wrongful failure to return tangible property entrusted to another.  Plaintiffs, however, do not and cannot allege that stolen payment card information was given to Target with expectation of return. Therefore, the court dismissed Plaintiffs’ bailment claim with prejudice.

Unjust enrichment claim survives:  Plaintiffs claim that Target is liable for unjust enrichment because it knowingly received or obtained something of value which in equity and good conscience it should not have received.  This claim is based on two theories.  The first is an “overcharge” theory claiming that Target charges an unearned premium for data security.  The second theory states that class members would not have shopped at Target had Target disclosed alleged deficiencies in its data security.  The court rejected the first theory as unsupported as a matter of law, but concluded, without citation to authority, that the “‘would not have shopped’ theory . . . is plausible and supports their claim for unjust enrichment.”

Significant obstacles remain for consumer claims:  The court’s refusal to accept Target’s injury arguments at the motion to dismiss stage does not eliminate Plaintiffs’ burden to prove that consumers suffered actionable losses.  Because consumers generally do not have to pay for fraudulent charges on their payment cards, such activity will not provide a basis to establish cognizable damages.  Nor is the cost of credit monitoring or other activities associated with avoiding identity theft or adverse credit history likely to provide grounds for proving actionable damages.  A majority of courts that have addressed the issue have held that such costs are not actionable as a necessary and reasonable consequence of a payment card data breach.  And even where fraud mitigation costs have been treated as cognizable injury – as was the case in Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) – the court nonetheless denied plaintiffs’ motion for class certificationbecause questions of whether individual consumers’ remedial actions were reasonable and what such actions reasonably should have cost could not be determined without taking testimony from every member of the class, thereby raising highly individualized issues of fact and law that would preclude trying class members’ claims through proof common to the class as a whole.  The parties will have the opportunity to grapple with these issues after discovery has concluded.

ARTICLE BY

OF

Four Ways For A Financial Institution To Minimize Losses Related To A Data Breach

vonBriesen

The explosive growth of electronic credit and debit card transactions has increased the possibility of data breaches for financial institutions. The ongoing data breach litigation by financial institutions against Target is just one example of what could be the new normal with card-swipe electronic transactions now dominating commerce: according to Javelin Strategy and Research, only about twenty-five percent (25%) of point-of-purchase sales are currently made with cash, and that percentage is expected to continue to decline in the coming years.

This surge has been beneficial to the bottom line of many financial institutions, but the spike in electronic transactions has also increased the potential for data breaches and related liability. According to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis1 the average cost of a data theft from financial services companies in 2013 was $236 per customer account. The primary reason for the increase is the loss of customers following the data breach. Financial services providers continue to be most susceptible to high rates of customer defections as a result of data breaches. (Ponemon, 2014)

As the volume of electronic transactions has increased, hackers and cybercriminals have become more sophisticated and successful, as evidenced by recent high-profile data breaches involving Target, Neiman Marcus, eBay, and Jimmy John’s. While mega-breaches tend to grab the headlines, most data losses involve fewer than 10,000 customer records. (Ponemon, 2014) Nonetheless, these data losses can be costly, averaging $5.9 million per breach incident in 2013. (Ponemon, 2014)

What can financial institutions do to minimize their losses, when both large and small institutions can fall victim? Below are four proactive steps that may be taken by any size institution:

1. Preparation

Statistically, four factors are most important to reducing the cost of a data breach: a strong pre-incident security posture, a current incident response plan, business continuity management involvement, and leadership by a Chief Information Security Officer. Together, these can reduce the per capita cost of a data breach as much as 30%. (Ponemon, 2014) Good preparation should also include data security audits and breach response exercises to test preparedness.

2. Purchasing Data Breach and Other Insurance

One in three companies has insurance to protect against data breach losses (Marsh LLC, Benchmarking Trends: Interest in Cyber Insurance Continues to Climb, 2014)2. Covered risks typically include disclosure of confidential data, malicious or accidental loss of data, introduction of malicious codes or viruses, crisis management and public relations expenses, business interruption expenses, and data or system restoration. In 2013, cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped significantly. (Marsh LLC, 2014) Given the potentially tremendous costs associated with a data breach, cyber insurance policies are no longer a niche or specialty product, and are quickly becoming a necessity in the financial services industry and a key component of risk management for financial institutions.

In addition to policies specifically covering data breaches, it is important to consider whether an institution’s losses may be covered under the terms of an existing policy. Some courts have found that traditional policies include coverage for data breach claims. In Netscape Communications Corp. v. Federal Insurance Co., decided in 2009, the Ninth Circuit Court of Appeals held that personal and advertising injury coverage in a commercial general liability (“CGL”) policy applied to claims alleging that the insured had violated the plaintiff’s right of privacy in private online communications. In Retail Ventures, Inc. v. National Union Fire Insurance Co., the Sixth Circuit Court of Appeals found that coverage may also apply under a financial institution’s crime policy. In WMS Industries, Inc. v. Federal Insurance Co., the Fifth Circuit Court of Appeals affirmed the district court’s holding that all-risk and first-party property policies may provide coverage for data damage and business interruption arising out of data breaches. Lastly, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals found that an insured’s loss of a computer tape containing third-party data was “property damage” and, therefore, was covered by CGL insurance.

Even if there may be a question as to whether coverage is available, notice of the breach should be given to the insurer immediately. Financial institutions should consider consulting with their insurance providers to confirm whether or not their standard policies cover data breaches and, if so, whether there are any coverage limits or exclusions. “Too often, the close scrutiny of policy coverage does not occur until after a claim is made. This makes misunderstanding and disappointment a distinct, and potentially costly, risk. Even sophisticated companies stumble. In 2011, SONY suffered a series of cyber security breaches affecting data in its online gaming systems. The SONY insurer said the company did not have a cyber insurance policy, that SONY’s existing policies only covered tangible property damage, not cyber incidents, and therefore the insurer would not provide any coverage for the company’s nearly $200 million loss. SONY spokespersons contested these statements, expressing their belief that at least some of the losses were covered. (Mark F. Foley, Digital Lex: Insurance Coverage for the Cyber World (Feb. 19, 2013), at http://www.WTNNews.com. See, Insurance Against Cyber Attacks Expected to Boom, New York Times online, December 23, 2011)

Banks, or their counsel, should also proactively review vendor or third-party contractor agreements to confirm that the vendor or third party contractor has an obligation to indemnify the financial institution for losses related to a data breach, and that the financial institution is named as an additional insured under the vendor’s or third-party contractor’s insurance policy covering such breaches. Contracts that do not provide these protections should be updated.

3. Using Regulatory Tools and Guidance

In September 2014, FDIC Chairman Martin Gruenberg stated that “internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks.” As a result, the FDIC now defines cybersecurity as “an issue of highest importance” for itself and the Federal Financial Institutions Examination Council.

The FFIEC recently formed a Cybersecurity and Critical Infrastructure Working Group that works with the intelligence community, law enforcement and the Department of Homeland Security on cybersecurity issues. The Working Group is currently assessing the banking sector’s preparedness to combat and respond to cybersecurity threats. The report will include a regulatory self-assessment to evaluate readiness and identify areas requiring additional attention.

The FDIC also created a “Cyber Challenge” online resource that features videos and a simulation exercise. As part of this effort, the FDIC also requires third-party technology service providers (TSPs) to update financial institutions on operational threats the FDIC identifies at a TSP during an examination.

The rollout of these resources, coupled with the recent guidance from the OCC and the Fed regarding the management of third party relationships (for a more in-depth discussion, please see our January 2014 Commercial Law Update, “Managing Third Party Relationships: New Regulatory Guidance for Banks“), demonstrates the increased scrutiny regulators are giving to these issues and why they are hot-button topics for financial institutions to tackle.

4. Filing Lawsuits Against Parties Responsible for Data Breaches

A recent example of financial institutions going on the offensive with regard to a data breach by a service provider is the lawsuit brought by several banks against Target, In re Target Corporation Customer Data Security Breach Litigation, Case No. 14-md-02522, which is currently pending in Minnesota federal district court. The banks are seeking class-action status for banks across the country arising out of the compromise of at least 40 million credit cards, which affected up to 110 million people whose personal information, such as email addresses and phone numbers, were stolen.

The banks seek millions of dollars of damages to recover money spent reimbursing fraudulent charges and issuing new credit and debit cards.

The court recently denied Target’s motion to dismiss all of the claims, concluding that Target played a “key role” in the data breach. In denying the motion, the court held that “Plaintiffs have plausibly alleged that Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to plaintiffs” and also concluded that “Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.” At this stage, the banks are proceeding with claims for negligence and violations of Minnesota’s Plastic Security Card Act.

As illustrated by the Target litigation, if losses are not covered by insurance or if the institution otherwise cannot be made whole, a financial institution should consider trying to recover damages through litigation. However, the Target case is still being litigated, and the law is not settled as to whether third parties, such as merchants who process credit and debit cards, may be held liable to an issuing financial institution for damages arising out of the merchant’s data breach.

Financial institutions would be well-served by utilizing these resources to protect against cyber attacks and should keep a close eye on upcoming regulatory guidance in this area as it is clear that the regulators are focusing on ways to protect against, and minimize the number of, data breaches and their effect on financial institutions.

ARTICLE BY

OF

Target Becomes a Target: Proposed California Bill Aims to Make Retailers Liable for Data Breach Incidents

MintzLogo2010_Black

Following a string of high-profile data breaches and new data suggesting that approximately 21.3 million customer accounts have been exposed by data breach incidents over the past two years, the California legislature has introduced legislation aimed at making retailers responsible for certain costs in connection with data breach incidents.  If passed in its current form, Assembly Bill 1710, titled the Consumer Data Breach Protection Act, would have a substantial impact on retailers operating in California.

Among the major changes proposed in the bill:

  • Stricter Notification Requirements.  The proposed bill would create stricter time-frames and specific requirements for notification of affected consumers following a data breach incident.  In addition to current requirements to notify consumers individually in the most expedient time possible, a retailer affected by a data breach will be required, within 15 days of the breach incident, to provide email notification to affected individuals, post a general notice on the retailer’s web page and notify statewide media.
  • Retailer Liability for Costs Associated with Data Breach Incidents.  A.B. 1710 would amend California’s Civil Code to make retailers liable for reimbursement of expenses incurred in providing the notices described above, as well as the cost of replacing payment cards of affected individuals.
  • Mandatory Provision of Credit Monitoring Services.  If the person or business required to provide notification under the Civil Code is the source of the breach incident, A.B. 1710 will require that person or business to offer to provide identity theft prevention and mitigation services at no cost to affected consumers for not less than 24 months.
  • Prohibitions Against Storing Payment-Related Data.  Under a new section to be added to the Civil Code, persons or businesses who sell goods or services and accept credit or debit card payments would be prohibited from storing payment-related data unless that person or business stores and retains the data in accordance with a payment data retention and disposal policy that limits retention of the data to only the amount of time required for business, legal and regulatory purposes.  In addition, A.B. 1710 imposes further restrictions on the retention and storage of certain sensitive authentication information, such as social security numbers, drivers’ license numbers and PIN numbers.
  • Authorization of Civil Penalties.  As amended by A.B. 1710, the Civil Code would authorize a prosecutor to bring an action in response to a data breach incident to recover civil penalties of up to $500 per violation, or up to $3,000 for a willful or reckless violation.

Historically measures like A.B. 1710 have faced a difficult road.  Similar bills passed by the California legislature were vetoed twice by Governor Schwarzenegger, and the proposal of A.B. 1710 has already caused the California Retailers Association to speak out against the bill.  However, there may be a critical difference in the current climate because consumer awareness of the danger and reality of breach incidents has never been higher and, as shown by the recent Harris Poll, consumers overwhelmingly believe that merchants are to blame.

Article By:

Of: