()

Modern data breaches can have huge impact, often striking millions of victims. But for most, the breaches haven’t cost them anything: No fraudulent charges or costs associated with changing their bank cards.

That’s left courts to grapple with whether such victims have standing to sue for injuries and, if so, how they should be compensated.

Weighing in on that debate, a federal judge overseeing a class action against Target Corp. on Wednesday came out with an order approving class certification in a $10 million data-breach settlement.

U.S. District Judge Paul Magnuson, who had previously approved the settlement, considered the issue of class certification at the urging of the U.S. Court of Appeals for the Eighth Circuit, which concluded in February that his initial review had failed to conduct a “rigorous analysis” on whether the named plaintiffs adequately represented class members without economic losses. 

On Wednesday, Magnuson found that they had.

“All class members were victims of the theft of their personal information and suffered the attendant fear that this information might find its way into the wrong hands on the Internet’s black market,” he wrote. “The only difference among class members is in the quantifiable damages suffered, not in the underlying injury.”

Objector Leif Olson, whose appeal brought the case to the Eighth Circuit’s attention, asserted on remand that the named plaintiffs in the case failed to adequately represent class members who got nothing simply because they had no financial impact from the breach.

“The Target class action settlement freezes out millions of people from settlement relief,” wrote Olson’s attorney, Melissa Holyoak, a senior attorney at the Competitive Enterprise Institute’s Center for Class Action Fairness, in an email. She vowed to continue the fight before the Eighth Circuit—though it’s unclear what next steps the appeals court has planned. The panel also has another objector’s appeal pending that challenges $6.7 million in attorney fees.

In an email, plaintiffs’ attorney Vincent Esades, a partner at Minneapolis-based Heins Mills & Olson, called Magnuson’s order a “very thorough and thoughtful decision.”

“I feel confident the Eighth Circuit will see it that way,” he wrote. “I am disappointed that the promised appeal is going to delay the benefits of the settlement to the settlement class members.”

The Target case involved one of the first massive breaches to hit retailers: A 2013 hack impacting 110 million customers. The settlement provides compensation for class members with documented losses of up to $10,000 and reimbursement for the costs of identity theft protection. Class members who had no losses could get a share of any unclaimed funds but also would “benefit from the heightened protections Target agreed to put in place,” Magnuson wrote.

But it wasn’t the settlement’s provisions that were at issue this week. Olson argued that the inadequate representation of the class warranted the certification of subclasses because the named plaintiffs had a conflict with class members who had no financial losses. Those class members might have losses in the future or, in some cases, could have been entitled to compensation under certain statutory claims.

Magnuson called Olson’s conflict argument “rank speculation.”

“There is no evidence that the settlement here is similarly weighted in favor of one group to the detriment of another,” the judge wrote. “Rather, the settlement accounts for all injuries suffered.”

Modern data breaches can have huge impact, often striking millions of victims. But for most, the breaches haven’t cost them anything: No fraudulent charges or costs associated with changing their bank cards.

That’s left courts to grapple with whether such victims have standing to sue for injuries and, if so, how they should be compensated.

Weighing in on that debate, a federal judge overseeing a class action against Target Corp. on Wednesday came out with an order approving class certification in a $10 million data-breach settlement.

U.S. District Judge Paul Magnuson, who had previously approved the settlement, considered the issue of class certification at the urging of the U.S. Court of Appeals for the Eighth Circuit, which concluded in February that his initial review had failed to conduct a “rigorous analysis” on whether the named plaintiffs adequately represented class members without economic losses. 

On Wednesday, Magnuson found that they had.

“All class members were victims of the theft of their personal information and suffered the attendant fear that this information might find its way into the wrong hands on the Internet’s black market,” he wrote. “The only difference among class members is in the quantifiable damages suffered, not in the underlying injury.”

Objector Leif Olson, whose appeal brought the case to the Eighth Circuit’s attention, asserted on remand that the named plaintiffs in the case failed to adequately represent class members who got nothing simply because they had no financial impact from the breach.

“The Target class action settlement freezes out millions of people from settlement relief,” wrote Olson’s attorney, Melissa Holyoak, a senior attorney at the Competitive Enterprise Institute’s Center for Class Action Fairness, in an email. She vowed to continue the fight before the Eighth Circuit—though it’s unclear what next steps the appeals court has planned. The panel also has another objector’s appeal pending that challenges $6.7 million in attorney fees.

In an email, plaintiffs’ attorney Vincent Esades, a partner at Minneapolis-based Heins Mills & Olson , called Magnuson’s order a “very thorough and thoughtful decision.”

“I feel confident the Eighth Circuit will see it that way,” he wrote. “I am disappointed that the promised appeal is going to delay the benefits of the settlement to the settlement class members.”

The Target case involved one of the first massive breaches to hit retailers: A 2013 hack impacting 110 million customers. The settlement provides compensation for class members with documented losses of up to $10,000 and reimbursement for the costs of identity theft protection. Class members who had no losses could get a share of any unclaimed funds but also would “benefit from the heightened protections Target agreed to put in place,” Magnuson wrote.

But it wasn’t the settlement’s provisions that were at issue this week. Olson argued that the inadequate representation of the class warranted the certification of subclasses because the named plaintiffs had a conflict with class members who had no financial losses. Those class members might have losses in the future or, in some cases, could have been entitled to compensation under certain statutory claims.

Magnuson called Olson’s conflict argument “rank speculation.”

“There is no evidence that the settlement here is similarly weighted in favor of one group to the detriment of another,” the judge wrote. “Rather, the settlement accounts for all injuries suffered.”