Decided - The FindLaw Noteworthy Decisions and Settlements Blog

Target Agrees to Pay $18.5M and Change Customer Data Security

As a result of the 2013 holiday shopping season data breach at Target stores across the country, the retailer has agreed to pay $18.5 million to end a multistate enforcement action. This settlement is reported to be the largest ever in a multistate consumer data-breach enforcement action.

The multimillion dollar settlement will get stretched relatively thin though as it is set to be divided by 47 different states. California, which will receive almost $1.5 million from the settlement, is getting the largest share. These funds will not be going to consumers, but rather to the state's consumer protection enforcement offices. However, this settlement is in addition to a $10 million settlement that was recently approved in the consumer class action stemming from the same incident.

Details of the Case

During the busy holiday shopping season in 2013, hackers were able to infiltrate Target's security. During the breach, the hackers stole valuable data, including customer names, addresses, emails, credit card numbers, and associated expiration dates and pin codes. It was estimated that over 60 million customers' information was affected, including over 40 million credit cards.

In the aftermath of the hack, Target faced lawsuits from consumers and credit card companies, as well as official investigations by various state agencies. Credit card companies were seeking to hold Target liable for not keeping their customers' personal information safe which caused the banks and credit companies to incur costs of issuing new cards and covering fraudulent charges.

Target's Accountability for Failed Security Policies

The official investigation and action brought by the states sought to hold Target accountable for their failed security policies that led to the breach. In addition the agreed upon $18.5 million, Target has agreed to change their security policies to make customer data more secure, and to render stolen data worthless by using more encryption. Additionally, Target must hire a third party company to review their security measures and recommend changes.

Consumers that were affected by the breach should have long since received settlements, if they qualified. However, a vast majority of affected consumers received new credit cards before they ever even knew they were affected. Since credit card companies protect consumers from fraudulent purchases, it is common practice to preemptively re-issue new cards after companies discover their card holders have been effected by a large retail data breach.

Related Resources: