HarrisMartin’s Data Breach Litigation Conference: The Coming of Age is scheduled for next Wednesday, March 25, 2015, at the Westin San Diego. I’ll be speaking on a panel titled Creative Approaches to Settling Data Breach Cases with Ben Barnow of Barnow and Associates, P.C., Chicago. So, the news this week was very timely that Target has reached a settlement in the consumer class actions arising out of its massive payment card breach. Because a few clients and colleagues on both sides of the bar have asked for my opinion about the settlement, I thought I’d share a few thoughts here.
Settlements in data breach cases have been fairly rare up to this point, as many data breach cases have met their doom at the pleadings stage due to the inability of plaintiffs to show injury-in-fact sufficient to give them standing. Payment Card cases have been an exception because there are real financial losses to consumers that can flow naturally from a hacking incident. Importantly, these losses generally do not include the amount of any fraudulent card transactions because federal law limits consumer liability to $50 and the major card brands go further and impose $0 liability requirements on issuing banks. However, other incidental losses, such as replacement card fees, interest, finance charges by other companies due to missed payments, to name a few, can result from a payment card breach. For this reason, claims in several payment card class actions, including Target (Target Order on Motion to Dismiss) have survived motions to dismiss, leading many defendants to settle these cases. Payment card class actions against Heartland Payment Systems, TJ Maxx, Michaels Stores, and others were all resolved by class-wide settlements.
The Target Settlement has been praised and derided by the mainstream and legal trade media with a host of characterizations ranging from “huge” to “affordable” to “tiny.” In fact, Target’s settlement is not particularly groundbreaking beyond the media attention that it has garnered. Instead, it shares many of the features of the payment card settlements that came before it, and it is not significantly different in terms of its cost or in terms of the benefits it would provide to consumers, if finally approved.
Here is a summary of some of the key features of the settlement:
Overall Costs to Target
Claims Fund. Target is to pay $10M to create a fund to pay consumers who claim certain out-of-pocket losses and time spent in connection with those losses (discussed in more detail below). The fund is non-reversionary, meaning unclaimed funds don’t go back to the defendant. Instead, the agreement contemplates that the court will decide who unclaimed funds are to be distributed. (For a discussion of how courts can deal with unclaimed funds, see this February 2010 CAB post.)
Attorneys’ Fees. The plaintiffs will request court approval of up to $6.75M in fees. Target may object to the initial request, but it may not appeal any decision by the trial court to award $6.75M or less. Target must pay the fees awarded in addition to the $10M fund.
Settlement Expenses. Target must pay for all settlement administrative expenses in addition to claims fund and fees. This includes the expenses to provide both published and direct notice of the settlement to affected customers and the costs to administer claims and make payments to claimants if the settlement is finally approved. For a class size as large as Target’s these costs can easily measure in the millions of dollars.
Total Payment by Target. So, my guess it that the total payout by Target is likely to be closer to $19M, assuming the full amount of fees are approved.
Settlement Benefits to Consumers
One of the attachments to the Settlement Agreement is a Distribution Plan that generally outlines the benefits available to claimants. The Distribution Plan doesn’t itemize every conceivable loss that might qualify for compensation, but it attaches sample claim forms that give more insight into the specific benefits that are contemplated. Most of the categories of reimbursable losses are similar to those provided for in other payment card settlements. Here’s a summary, with some comments on each category:
- Payment for unreimbursed, out-of-pocket expenses, with a $10,000 cap per claim – Note that due to the zero consumer liability rules on fraud losses, combined with the fact that payment card information cannot be used to commit other forms of identity theft, it is extremely unlikely that any individual person will have a claim for an amount near the cap. If it were otherwise, then the fund would only be sufficient to pay 1000 claims. Other payment card settlements have included individual caps for the most typical types of expenses, which rarely exceed $200 or so, with a separate fund available for extraordinary claims. The Target settlement omits this smaller cap, perhaps because experience has shown that it is generally unnecessary to control unreasonable or fraudulent claims.
- Payment for 2 hours of time at $10/hour associated with each type of actual loss claimed – Payments for time are an interesting feature of payment card settlements. Because of the zero consumer liability for fraud loss imposed by the card brands, mere lost time and aggravation make up the vast majority of consumer impact in a payment card breach. However, time and inconvenience are generally not considered injuries for which damages can be recovered, so by agreeing to pay for lost time, the defendant is agreeing to pay for something that the plaintiffs probably couldn’t recover if the case went to trial. Nonetheless, there is nothing preventing defendants from offering these benefits in a class action settlement setting, and it has become common for defendants to offer payments for lost time. Because claims for time are susceptible to fraud and abuse and are difficult to document, the amounts available tend to be limited to 1-3 hours. Based on the sample claim form, the Target settlement seems to allow claims for time spent correcting fraudulent charges, but it doesn’t appear to allow claims for lost time resulting from card replacement (for example, having to change the number on automatic or recurring payments), which is something that affects far more consumers than fraud itself in the aftermath of a payment card breach. Other payment card settlements have allowed claims for lost time for either fraud or for dealing with replacement card issues.
- Two different types of claim forms – The settlement contemplates the ability to elect either a documented or undocumented claim. Documented claims get priority in payment. From a defendant’s perspective, undocumented claims are problematic, because they are susceptible to fraud and abuse. From a consumer’s perspective, having to document claims is an added aggravation, on top of the aggravation of having had to deal with the impact of the breach in the first place. This structure offers a compromise that permits undocumented claims, but ensures that those claims that are documented will be paid first.
As a practical matter, given the size of the fund, it is likely that there will be plenty of money to pay all documented claims and all plausible undocumented claims. In fact, in view of past settlements, it is extraordinarily unlikely that the amount of all legitimate claims will get even close to the $10 million available in the fund. In the Heartland Payment Systems settlement, for example, arising out of an incident that impacted 130 million card holder accounts, the number of claims for reimbursement amounted to a grand total of $1925. (See Judge Rosenthal’s Order in Heartland Payment Systems). This miniscule claims amount was due undoubtedly to a lack of public familiarity with Heartland (a payment processor) as a brand and with the incident itself, two things that are certainly not true of Target, and claims rates in other settlements have certainly been higher despite having much smaller numbers of potential class members. However, various media outlets have quoted a RAND Corporation researcher as estimating that less than $1 million of the $10 million fund will be claimed (see, for example, this article by Jason Abbruzzese at Mashable).
If he’s right, expect a fight ahead on what should happen with the $9M in unclaimed funds which, according to the agreement, “shall be distributed by the Settlement Administrator as directed by the Court.” Cy pres anyone?