The Eighth Circuit Court of Appeals has remanded a $10 million settlement in the Target data breach class action on the grounds that the district court had not rigorously analyzed the propriety of the class certification.

The class initially certified by the district court was defined to include "[a]ll persons in the United States whose credit or debit card information and/or whose personal information was compromised as a result of the [2013 Target] data breach." Under the settlement agreement approved by the district court, Target would have created a $10 million settlement fund for the class. Class members with documented losses would be compensated first, with the remaining balance being distributed equally to class members with undocumented losses. Class members who suffered no loss from the security breach would receive nothing from the settlement fund.

No class members objected when the district court preliminarily certified the settlement class. However, between the district court's preliminary and final orders certifying the class and approving the settlement, class member Leif Olson objected to the settlement class on the grounds that it did not meet the basic class prerequisites under Federal Rule of Civil Procedure 23(a). Specifically, Mr. Olson argued that class members who are, like himself, ineligible for monetary compensation make up what he termed a "zero-recovery subclass." He argued that no named plaintiff belonged to this purported subclass, and therefore the court should certify a separate subclass with independent representation.

The Eighth Circuit agreed in part, holding that "the district court abused its discretion by failing to rigorously analyze the propriety of certification, especially once new arguments challenging the adequacy of representation were raised after preliminary certification." The court explained that it was not taking a position on the propriety of the class, but noted that Mr. Olson's objections raised "important concerns" about whether an intraclass conflict exists when class members who cannot claim money from a settlement fund are represented by class members who can.

The Eighth Circuit appears to be the first Court of Appeals to remand a data breach class action settlement for reasons related to the sufficiency of the class. As such, the holding may provide guidance for structuring future data breach class action settlements.

Ballard Spahr's Privacy and Data Security Group is composed of a national, cross-disciplinary team of attorneys who provide counseling, transactional, regulatory, investigative, and litigation services on privacy and cybersecurity issues across industry sectors. Our cyber incident response team assists organizations of all sizes in preparing for and responding to cyber incidents, and the investigations and litigation that often follow.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.