Target to Pay 47 States $18.5M to Settle Data Breach Case

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Joyce

Target Corp. will pay $18.5 million to settle state enforcement actions over the retailer’s payment card hacking breach that affected as many as 60 million customers during the 2013 winter holiday shopping season, a coalition of 47 state attorneys general announced May 23.

The settlement capped an investigation led by Illinois Attorney General Lisa Madigan (D) and Connecticut Attorney General George Jepsen (D), and is the largest multi-state data breach settlement achieved ever, according to a statement from Madigan’s office.

The settlement means Target’s legal disputes arising from the 2013 hacking breach are nearing an end. The cumulative costs for putting the data security incident behind the Minneapolis-based retail giant are large. But the company maintains a $30.1 billion market capitalization, according to Bloomberg data.

The company previously reached a settlement with Visa Inc. for $67 million, as well as a $39 million settlement with a class of banks and credit unions. A $17 million settlement of a consumer class lawsuit is awaiting finalization. Shareholder derivative actions against the company were dismissed.

The new agreement means all extant legal disputes involving the Target 2013 data breach with the states are settled, Jenna Reck, Target spokeswoman, told Bloomberg BNA May 23. “We’re pleased to bring this issue to a resolution for everyone involved. The costs associated with this settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed,” Reck said.

New Security Procedures, Outside Audit

The attorneys general’s investigation determined that the breach of Target’s computer networks was carried out through hacking a third-party vendor, Madigan’s office said. The hack resulted in the breach of a customer service database containing payment card numbers, replete with expiration dates, verification codes and encrypted debit card personal identification numbers, along with the full names of payment card holders.

As part of the settlement, Target agreed to develop, implement, and maintain a comprehensive information security program “reasonably designed to protect the security, integrity, and confidentiality of Personal Information it collects or obtains from Consumers,” the agreement said.

Under the agreement’s terms, Target must develop written, risk-based policies and procedures for auditing vendor compliance with the program. The company must also employ an executive with the appropriate background or experience to implement the required information security plan. That executive will directly advise Target’s chief executive officer and board members on the company’s data security posture, the agreement said.

The company must also hire a third-party assessor to evaluate the information security plan, the agreement said.

California will receive $1.4 million of settlement funds, the largest share of any of the 47 states that are part of the agreement.

To contact the reporter on this story: Stephen Joyce in Chicago at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security