It seems as though we have been writing about this case for a lifetime. Target Corporation’s data breach saga came one step closer to a conclusion this week. On Tuesday, Target reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the company’s 2013 data breach. Alabama, Wisconsin, and Wyoming were not part of the settlement.
Target’s multi-million dollar breach response began on December 19, 2013 when Target announced that it had suffered a data breach that affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. You know the story from there.
Target’s $18.5 million settlement -- filed in California state court -- with the 47 states and the District of Columbia is the largest multistate data breach settlement ever reached. The terms of the settlement - in addition to the $18.5 million financial penalty - include requirements for Target to employ an executive to manage a comprehensive information security program and advise the company’s chief executive and board of directors. Target must also hire an independent third party to do a comprehensive security assessment. Target also has to add numerous cybersecurity measures to its systems such as encrypting payment card information, segmenting its cardholder data from the rest of its computer network, and implementing password rotation policies and two-factor authentication for certain accounts.
In announcing the settlement, California’s Attorney General Xavier Becerra emphasized his expectation that companies will provide adequate data security for their customers and that California will pursue companies that do not: “This should send a strong message to other companies: you are responsible for protecting your customers’ personal information. Not just sometimes – always. As our state’s chief law enforcer, it's my job to give Californians the confidence to know that I've got their back.” This sentiment was echoed by Illinois Attorney General Lisa Madigan who stated that the “settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers.”
In all, according to Target Corporation's most recent Form 10-K, through the end of 2016 Target had incurred $292 million of cumulative expenses related to the data breach, which after receipt of $90 million in insurance proceeds, resulted in total net expenses to Target from 2013-2016 of about $202 million. This settlement pushes the total cost to Target of the data breach to over $220 million. In addition, a multi-district consumer class action remains pending.