Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Judge OK's Target Breach SettlementAffected Consumers Will Get a Total of $10 Million
A federal judge has granted preliminary approval of a $10 million settlement of a consolidated class action lawsuit filed on behalf of consumers affected by the massive 2013 Target data breach.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The Minneapolis Star-Tribune reports U.S. District Judge Paul Magnuson on March 19 granted preliminary approval of the settlement after a hearing in St. Paul.
The terms of the proposed settlement were agreed to on March 9 by Target and attorneys for the plaintiffs, CBS News reports. The agreement includes the provision that Target will also pay up to an additional $6.75 million for plaintiffs' attorneys' fees and expenses.
The settlement proposal was submitted for approval on March 18, CBS News reports. The case is In re: Target Corporation Customer Data Security Breach Litigation, U.S. District Court, District of Minnesota, No. 14-md-02522.
"We are pleased to see the process moving forward and look forward to its resolution," Target spokeswoman Molly Snyder tells Information Security Media Group.
Small Price to Pay?
Some analysts have noted that the proposed settlement agreement is a small additional price to pay for the retailer. "It's minuscule for Target," Brian Yarbrough, consumer research analyst with financial services firm Edward Jones, tells USA Today.
Indeed, as of Jan. 31, Target had $2.2 billion in cash on the books. "For Target basically it's nice just to get it over with. They have plenty of cash to pay this out," he says.
As of February, Target had spent $162 million on breach-related expenses, not counting what was covered by the company's insurance policies.
In the proposed settlement, Target says it believes that about 42 million customers' payment card data was stolen between Nov. 27 and Dec. 15, 2013, by malware installed on its POS terminals. It also says that contact information, including email addresses, for about 60 million customers was stolen by attackers, although it didn't detail when that occurred. Target had originally said that it thought up to 70 million customers' contact information had been compromised.
Under the terms of the settlement, Target would set aside $10 million in escrow - none of which would ever revert to Target - for the class-action lawsuit settlement. Victims would receive up to $10,000 each, provided they can document their losses. The court documents include a proposed claim form to be used by any breach victims who shopped at a Target store Nov. 27 to Dec. 18, 2013. Target first disclosed the data breach the next day.
Requirement: Demonstrate Losses
The proposed settlement says the majority of claims would be handled via a website that has yet to be set up, but which would be created within 10 days of the settlement becoming effective.
Target, under the settlement, would also agree to maintain a written information security program, maintain processes for monitoring for - and responding to - information security threats, as well as to "implement a program to educate and train relevant [Target] employees of the importance of the security of consumers' personally identifying information."
In July 2014, Target had moved to halt the discovery process for the class-action lawsuit. "The experiences of courts and litigants with similar motions to dismiss in data breach related class actions instruct that Target has a substantial likelihood of succeeding in seeking dismissal of all or most of the claims anticipated in the consolidated complaints," Target's attorneys said.
But the move was opposed by plaintiffs and later that month, Magnuson ruled that the lawsuit would proceed. He also detailed "an ambitious schedule for that discovery."
Victims: Document Claims
In the settlement agreement, Target argues that it's not feasible for it to identify and contact directly all of the potential breach victims: "Due to the large size of the class, it is not feasible for Target to identify the names of class members that reside in each state."
Instead, victims must document and submit their claims. According to a sample of the claim form included with the proposed settlement, consumers could log costs related to unauthorized and unreimbursed payment card charges; late fees, overdrafts, higher rates, or loss of access to funds; replacing a driver's license, Social Security number or phone number; hiring someone to help correct their credit report; or paying for credit-monitoring or identity theft monitoring services. The proposed settlement agreement would also reimburse victims for any time they lost having to detail with breach-related cleanup, at a rate of $10 per hour.
Vincent Esades, an attorney representing Target customers in the class-action lawsuits, says consumers should be able to begin filing claims around April 30, that up to 100 million people may be eligible. He estimates that the entire settlement - including attorneys fees and administrative costs - will likely cost Target about $25 million, and notes that after the $10 million allocated to victims has been paid out to reimburse documented claims, the remainder would be divided equally among victims who have not documented claims, but who state under oath that they have suffered losses.
"Target really needs to be commended for being willing to step up," Magnuson said at the March 19 hearing, the Minneapolis Star-Tribune reported. He has scheduled a Nov. 10 hearing, so that he can assess how the claims have been handled before issuing a final ruling on the settlement.