(CN) - A federal judge dismissed most consumer-negligence claims against Target for cybersecurity failures that resulted in a massive data breach last year.
Data from as many as 110 million credit and debit cards used at Target stores were compromised during the 2013 holiday shopping season, when hackers made off with names, credit card numbers, security codes and expiration dates.
Exposure of the breach led Target to offer its cardholders a year's free subscription to a credit-monitoring and identity-protection service, as well as a pledge to not hold customers responsible for fraudulent charges.
Both consumers and financial institutions nevertheless brought scores of lawsuits, which were soon consolidated before U.S. District Judge Paul Magnuson in St. Paul, Minn.
Magnuson dismissed the majority of those claims Thursday after finding that some consumers' states do not permit the remedy they seek.
While plaintiffs have shown that they suffered pecuniary damages in the form of unreimbursed late fees, and card-replacement fees, numerous states do not allow a class action pursuant of consumer-protection claims.
Therefore, plaintiffs may not maintain this suit in Delaware, Oklahoma, Wisconsin, Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, Tennessee, or Utah, according to the ruling.
Further, the majority of states' data-breach notice statutes do not allow for a private cause of action, but call for Attorney General enforcement, the court found. Five states also bar recovery for purely economic losses under a theory of negligence.
Magnuson did uphold, for now, the plaintiff's "overcharge theory."
"Plaintiffs' second theory is the 'would not have shopped' theory discussed previously," he wrote. "This theory contends that, had Target notified its customers about the data breach in a timely manner, Plaintiffs would not have shopped at Target and thus any money Plaintiffs spent at Target after Target knew or should have known about the breach is money to which Target is not entitled."
Magnuson deemed this theory "plausible" if plaintiffs can establish that they shopped at Target after the megastore knew or should have known about the security breach.