Measuring The Bull’s-Eye On Target’s Back: Lessons From The T.J. Maxx Data Breach Class Actions
“Simply put, the class action vehicle is broken.”
-- Judge William Young, Overseeing The T.J. Maxx Data Breach Litigation
Check CoverageOpinions.info for the current issue.
Once my wife believes something it is very difficult to change her mind. And if her mother agrees with her then look out. I could call in Socrates to speak with her and even he would walk away just shrugging his shoulders. Sorry man, I tried.
In a way this is the situation that Target Corp. is going to face when it defends the 70 or so putative class actions that have recently been filed against it – so far -- in various federal courts around the country for damages allegedly caused by a massive security breach of its customers’ personal and financial information. Yes, 70. You read that right.
At issue is the theft of the retailer’s customers’ personal information from the magnetic strips of their credit and debit cards. The theft allegedly occurred between November 27 and December 15 when customers’ cards were swiped through the retailer’s point-of-sale terminals. This was no small data breach. In general, it was initially announced that thieves stole credit and debit card information from 40 million customers. It later came to light that the same criminals acquired names, addresses and phone numbers from as many as 70 million accounts. However, given the no doubt overlap of these two groups, the number of affected individuals is not 110 million. Not that that’s much of a consolation for Target. And just as day follows night, after the breach was announced, the law suits began rolling in. Seven were filed on the same day that the breach was announced. For some plaintiffs’ lawyers this was the Black Friday door buster to end all others.
Despite the parade of horribles that the class action complaints allege that Target caused to its customers, Target’s website states that its guests (as the company refers to its customers) will have “zero liability for any charges that [they] didn’t make.” Target’s CEO, Gregg Steinhafel, in a CNBC interview that aired Monday, repeated that over and over and over. There’s no ambiguity there. No Target customer will be picking up any bar tabs in Nigeria.
But none of this will matter to the plaintiffs’ attorneys that have filed the class action suits. Just as my wife will never be convinced that taking Montgomery Avenue home from the King of Prussia Mall is just as good as Old Gulph Road, the plaintiffs’ attorneys will never believe that Target, no matter what it says or does to try to convince them, will adequately compensate its customers. [Actually, they probably do. But if they said so it would leave no compensation for themselves. So the class action suits will roll on.]
At least Target’s shareholders feel confident that the retailer will make all of this right. The company’s stock has held up well despite the onslaught of negative publicity and obvious fact that the data breach is going to cost Target shopping carts full of money. [Target’s revenue in 2013 was $73 billion. That’s more than the gross national product of over a hundred countries. So the company is unlikely to feel the hit as much as some would.]
Target is going to experience financial exposure on many fronts. Some of the obvious ones are the cost to investigate the data breach and upgrade its systems to prevent future breaches. There will be lost sales, which will translate to lost profits. Target has reported that it expects fourth quarter 2013 adjusted earnings per share of $1.20 to $1.30 compared with prior guidance of $1.50 to $1.60. Target will face claims from banks that suffered losses for fraudulent charges, as well as for the cost of banks to issue replacement cards. [A recent Wall Story Journal story addressed some issues surrounding that last point.] Target may be required to deal with shareholder suits against the company as well as settlements with state attorney’s general.
And, of course, Target will surely be required to compensate its customers for their alleged damages. These 70 or so class actions and counting are not going to be litigated in any court of law with a jury foreperson someday standing up and announcing a verdict in favor of Target. Of course not. These class actions will be settled. Target is much too reputation-dependant to not want to get these suits in the rear view mirror pronto.
So how might the Target class actions play out? That is impossible to gauge at this point. But for some guidance on that question consider the 25 class action complaints, filed in 2007, against retailer T.J. Maxx (and some sister stores), for damages allegedly caused by the theft of customers’ personal information.
But before getting to the TJX cases, and what they may foretell for Target, it is worthwhile to look at the Target class action complaints themselves and address whether Target has done what’s alleged and whether the plaintiffs have in fact suffered the damages they claim. Not that any of these details matter in the world of consumer class actions, but just indulge me.
The class action plaintiffs seek damages for their financial losses due to unauthorized charges on their credit and debit cards. But Target has made it abundantly clear that its customers will suffer no such losses. The class action plaintiffs also seek to be provided with credit monitoring services. That is usually one of the more tangible elements of damages sought in cases like this. Target has stated that it will offer free credit monitoring to its customers for one year. Details of this are spelled out on Target’s website. The company didn’t need to be forced by any court to offer this service.
Some class action plaintiffs seek damages for emotional distress. Really. I’m not making that up. My wife shopped at Target during the breach period. Thankfully she seems to be holding up just fine. But I am keeping a close eye on her for any changes in her behavior. Target’s Minneapolis headquarters is located not far from the Mayo Clinic in Rochester, Minnesota. Perhaps they can work out a deal to treat those suffering from such distress.
Some plaintiffs are seeking punitive damages from Target. Punitive damages are awarded for conduct that resembles criminal. They are saved for societal conduct that is the worst of the worst. It may turn out that Target did or didn’t do some things that allowed the data breach to take place. But it is inconceivable that anything it did could justify punitive damages. You don’t get to be the nation’s second largest retailer, with over 1,900 stores, by acting in any manner that comes within a hundred miles of conduct that could justify punitive damages.
The class action plaintiffs allege that Target breached various state consumer protection statutes. But these statutes are likely inapplicable to the circumstances here and/or Target did not act with the level of culpability required to have committed such a breach. The class action plaintiffs also allege that Target breached various state statutes that require timely notice of a data breach. Target announced the breach just four days after it was discovered. Further, these statutes generally do not include a private right of action.
Most reasonable people would stop shopping in any store that treated them as horribly as they alleged Target did. But I suspect that the class action plaintiffs have not seen the last of the inside of a Target store.
But despite the assurances and benefits that Target has offered voluntarily, without any court intervention, the class actions are still sure to settle -- and for some big numbers. Judge William Young, a Massachusetts federal judge, has stated: “Simply put, the class action vehicle is broken.” His Honor added that “there are surely plaintiffs’ lawyers who bring putative class action lawsuits without merit, assuming, correctly, that in many cases the defendant will settle the case to avoid a small probability of a substantial judgment.” That Judge Young made these statements, in the context of overseeing the T.J. Maxx data breach class actions, does not bode well for Target. See In Re TJX Companies Retail Security Breach Litigation, No. 07-10162 (D. Mass. Nov 3, 2008).
While the Target consumer class actions are bound to settle, what might that look like? Again, while it is impossible to know at this point, the settlement of the T.J. Maxx data breach class actions sheds some light on what may lie ahead for Target.
The T.J. Maxx data breach involved the theft of data related to over 45,000,000 credit and debit cards used at TJX Stores (T.J. Maxx, Marshalls, HomeGoods and a few others). However, banking associations that issued some of the affected cards asserted that hackers actually compromised the security of over 94,000,000 accounts. In any event, TJX announced in January 2007 that, going back as far as 2003, and in mid-May through December 2006, some customer financial information, as well as driver’s license numbers (which may be the same as social security numbers) were stolen from its systems.
The breach was announced in January 2007 and the settlement of 25 class actions came swiftly. The initial settlement was filed with the court on September 21, 2007. Putting aside other settlement-related activities, the settlement was put to bed in September 2008. Target is also likely to address the class actions with similar alacrity as TJX. In general, the settlement terms were as follows.
TJX offered three years of Equifax’s “Credit Watch Gold with 3-in-1 Credit Monitoring” (which includes $20,000 in identity theft insurance) to the approximately 455,000 class members whose name, address and driver’s license or military, tax or state identification number (which for some is the same as their social security number) may have been compromised. These are individuals who had previously returned merchandise to TJX without a receipt and, as part of that process, had provided such information to the retailer (the so-called “unreceipted return customers”). Such credit monitoring had a retail price of $390 for each class member. Thus, the cost to provide this service to 455,000 class members was $177,000,000.
But here’s the rub. According to the court’s opinion addressing attorney’s fees (approved to be $6.5 million; but subject to a very lengthy explanation from the court), only slightly more than 3% claimed the credit monitoring benefit.
Target is now offering its customers one year of Experian’s ProtectMyID credit monitoring, which includes $1,000,000 of identity theft insurance. According to Experian’s website, the retail price of this is $15.95 per month. Of course, Target is obviously not paying the rack rate. [If there’s an annual price for this service I could not find it as Experian’s website was not responding to certain links.]
It is not surprising that only slightly more than 3% of the eligible TJX class members sought credit monitoring. It was offered to them eons after the data breach took place. By the time it was offered those affected either forgot about the breach or knew by then that they were probably not in an jeopardy of identity theft.
Target’s offer of credit monitoring is world’s apart from TJX’s. Target is offering it to all of its customers and doing so when the incident is very fresh in their minds. Indeed, Target’s offer is coming while the data breach story is still front page news. There are exponentially more than 455,000 people eligible for credit monitoring and a lot more than 3% are going to take Target up on its offer. Consider that you aren’t even required to have shopped at Target during the breach period to sign up for credit monitoring. Target states that “[a]ll Target guests who shopped in U.S. stores can take advantage of one-year of free credit monitoring.” I didn’t shop at Target during the relevant period and I just signed up for it. The process was really easy.
Target is voluntarily taking on a huge credit monitoring expense. Target could do what TJX did and offer credit monitoring as part of a class action settlement long after this incident has been forgotten. This would dramatically reduce its credit monitoring liability. But that’s not the path it took. Nonetheless, despite voluntarily approaching credit monitoring in this manner, that likely won’t be enough for the class action plaintiffs’ attorneys.
The TJX settlement also included various cash payments and store vouchers for these unreceipted return customers. TJX reimbursed any costs incurred to replace their driver’s license. Those whose social security number was the same as their driver’s license, military, tax or state identification number could recover losses over $60 that occurred as a result of identity theft traceable to the breach. Customers were required to submit proof of loss and the aggregate amount payable for this category of damages was $1,000,000. As of the court’s November 3, 2008 opinion addressing attorney’s fees, almost 4,800 of such claims had been made. None were deemed valid and no payments had been made under this category.
Another category of benefits was offered to customers who certified that they made a purchase with a credit card, debit card, or check at TJX stores during the relevant time periods and incurred at least $5 in out-of-pocket expenses or lost time (valued at $10 an hour) as a result of the intrusion. Under this “self-certification” option, class members needed only to state, under penalty of perjury, that they had made a check or card purchase and that they had suffered the required loss. These individuals would receive, at their option, either a $15 check or a $30 voucher. The agreement imposed a $10,000,000 cap on claims made by self-certifying class members. Claims were valued at $30, whether for check or voucher. Class members who could provide documents that they both made a qualifying purchase (for example, a credit card statement) and suffered the requisite loss were eligible to receive a $30 check or $60 in vouchers. The agreement imposed no cap on the value of vouchers that class members could claim via this method but limited the payout made in check form to $7,000,000.
For lawyers who no doubt claimed that a data breach was a huge inconvenience for customers, they sure didn’t put a lot of value on their clients’ time or inconvenience when it came to reaching a settlement. Ironically, for most TJX customers, making a claim for compensation was probably a bigger inconvenience than the data breach itself ever caused them.
It is hard to imagine Target not voluntarily offering its customers some sort of coupons as an apology, for their inconvenience, as evidence of taking responsibility and a sign of good faith to win back their loyalty. Target already offered its customers a 10% discount the weekend after the breach was announced.
So what does all of this mean for Target. The simple answer is this. Even if no Target customer will have any liability for fraudulent charges; even if Target takes on a huge credit monitoring liability – and far greater than if it waited to be compelled to do so; even if the consumer protection and data breach notice claims have no merit; even if the TJX case shows that actual losses for identity theft from a date breach are rare; and even if Target voluntarily offers compensation for inconvenience, none of this is likely to be enough to escape also paying the class action piper. That’s just how it works. The plaintiffs’ attorneys are not going to look at Target’s voluntary compensation and drop their cases. OK, this looks good. We’re not needed here. Move along folks. Nothing to see. What Target can hope for is that all of its voluntary compensation serves to take some of the value out of the class action settlements.
Disclosure Statement: I do not own any shares of Target Corp. stock. White and Williams, LLP does not represent Target Corp.
This alert was originally published in Coverage Opinions. If you would like more information or would like to subscribe, visit CoverageOpinions.info.