The $10 million settlement class in the Target data breach case was unraveled by the Eighth Circuit Court of Appeals in a recent decision that will force the district court to address the impact of the Supreme Court’s decision in Spokeo v. Robins. The Eighth Circuit remanded the case to the district court, finding that the lower court did not conduct a rigorous analysis of the record under Rule 23 prior to certifying the settlement class.
The case stems from the 2013 data breach of consumers’ credit and debit card information, which consisted of approximately 110 million Target customers. Following the consolidation of the hundreds of consumer class action lawsuits that followed, the U.S. District Court for the District of Minnesota preliminarily certified a settlement class defined as “[a]ll persons in the United States whose credit or debit card information and/or whose personal information was compromised as a result of the [Target] data breach.” Under the terms of the settlement, Target was to create a $10 million settlement fund, which would pay class members with documented losses first with the remaining balance distributed to members with undocumented losses. Class members who suffered no loss from the data breach would not receive any monetary compensation. Target also agreed to permit an attorney fee award of up to $6.75 million in addition to the $10 million class fund and take on certain improvements in its data security practices.
Prior to final approval, two class members, Leif Olson and Jim Sciaroni, objected to the settlement. Olson alleged that certification of the class was improper due to the intraclass conflict between the named representatives and class members who, like Olson, had not suffered any loss and therefore would not receive any compensation, but would release Target from any claims should the breach someday injure him in the future. Olson contended that this “zero-recovery subclass” should be certified as a separate subclass with independent representation.
At the final approval stage, the district court did not analyze Olson’s objection. Indeed, the district court refused to reconsider whether certification was proper solely because it had already preliminarily certified the class, stating “[b]ut the Court certified a settlement class in the preliminary approval order, and will not revisit that determination here.” This outright refusal to consider the propriety of class certification at the final approval stage was the death knell for the case before the Eighth Circuit.
The Eighth Circuit explained that not only do courts have the duty to conduct a rigorous analysis to ensure that Rule 23’s prerequisites are met, but this duty continues throughout the litigation. In reviewing the district court’s preliminary order, the Eighth Circuit found that it was lacking in legal analysis, concluding that the court’s remarks were “the product of summary conclusion rather than rigor.” This lack of legal analysis constituted an abuse of discretion and prevented the appellate court from conducting a meaningful review.
The Eighth Circuit highlighted three issues for the district court to consider on remand. First, whether an intraclass conflict exists when class members who cannot claim money from a settlement fund are represented by class members who can. Second, if there is a conflict, whether it prevents the class representatives from fairly and adequately protecting the interests of all of the class members. Third, if the class is conflicted, whether the conflict is fundamental and requires certification of one or more subclasses with independent representation.
Although these questions are important in any case involving intraclass conflicts, they underscore a problem arising frequently in data breach actions—how should the law treat the compromise of data without any evidence of misuse. This issue is particularly at the forefront following the Supreme Court’s decision in Spokeo v. Robins. If class members that suffered no loss from the data breach lack standing under Spokeo, it is unclear whether such a subclass could exist since neither the representative nor its members suffered a concrete injury. It also poses the question as to whether those members should be included in the class at all. How the district court analyzes these issues on remand may set the stage for future data breach class actions.