After years of litigation, this week Target agreed to pay $18,500,000 to settle claims with 47 states and Washington D.C. to resolve the massive data breach that occurred in December of 2013. During that cyberattack, more than 40 million credit and debit cards from shoppers were hacked. The contact information of more than 60 million customers was also stolen. The hackers used a third-party vendor to gain access to Target’s IT storage database. From this point, the hackers then installed a form of malware to capture and transfer data out of Target’s database. Even encrypted PIN numbers for debit cards were compromised.
This is the largest multi-state data breach settlement ever reached in the U.S. and fortunately Target has reserved some money for this agreement via its data breach liability reserves. Prior to the Target Settlement, the highest settlement amount was from 2009 for $9.75 million with TJX Companies. Settlements of this nature are relatively rare, but this case could open the door to more lawsuits like it. Large companies are likely tracking the course of this case, and will hopefully tighten their data security in response. While the total damages may not seem high given the scope of the those affected, Target’s profit and stock prices fell in the subsequent months as shoppers were hesitant about security. Target estimates that the total cost of the data breach could be in excess of $200 million dollars.
As part of the settlement, Target is now required to adopt new security measures to protect consumer information. A new executive is set to be appointed to monitor all electronic security and will be required to advise the CEO and other board members. Additionally, an independent third party will be hired to perform a security analysis for card information that would protect the cardholder’s privacy and render the card useless when stolen. Fortunately, a cyber-hack to this scale has not affected the company since.
While the investigation was led by Connecticut and Illinois, New Jersey is set to receive $680,411 from the settlement. California is set to receive the largest portion of the settlement with more than $1.4 million. Alabama, Wyoming, and Wisconsin were the only states that did not participate in the settlement. Furthermore, the awards to each state will go to the attorney’s fees and other costs in the Attorney General’s budget. This rare settlement will serve as an incentive for states to get involved in other data breach cases since damage awards will be directly funding the Attorney General offices.
This is not the first time that Target has made headlines in recent years for large settlement payouts. In August of 2015, Target agreed to pay a $2.8 million settlement for a discrimination lawsuit based on assessment tests that allegedly discriminated based on a person’s sex and race during hiring. Also as part of this settlement agreement, Target agreed to voluntarily establish a new management position to monitor ongoing compliance as a result of the discrimination lawsuit.