The Price Of A Data Breach: Target Reaches $10M Settlement In U.S. Privacy Class Action - Data Protection

On March 19, 2015, the United States District Court in the District of Minnesota gave preliminary approval to a proposed settlement for the December 2013 data breach suffered by Target Corporation.¹ Target proposes to settle the consolidated consumer class actions by paying US$10 million, amounting to a maximum of $10,000 for each affected individual, and by agreeing to bolster its protection of customer data. The settlement agreement has received preliminary approval with a final hearing set for November 2015.

Background

It was first disclosed on December 19, 2013 that hackers had broken into Target's computer network through the heating, ventilation, and air conditioning control and monitoring systems, resulting in the theft of credit and debit card information for over 40 million customers and other personal information of 70 to 110 million customers.² Dozens of proposed class action lawsuits were subsequently filed in the United States and were eventually consolidated into three groups: consumers, financial institutions, and shareholders. The recent settlement is limited to the consolidated consumer class action.

Proof of damages to access settlement payments

While affected customers are eligible for up to $10,000 in damages, claimants must provide documentary evidence of losses actually incurred which were more likely than not caused by the data breach. Evidence may include credit card statements, invoices and receipts, but not personal declarations or affidavits from the claimant. If adequate evidence is provided, claimants will also be entitled to receive limited reimbursement for time spent dealing with each loss. Once claims supported by documentary evidence have been paid out, and class representatives have been compensated, the claims without supporting documentation will share equally in what remains of the $10 million settlement.

Additional measures to protect customer data

The settlement agreement also includes a non-monetary component requiring that Target:

appoint a Chief Information Security Officer, a high-level executive responsible for the company's information security program and the protection of customer personal information;
maintain a written information security program, which would identify potential risks to customer personal information and involve periodic reviews by senior leadership of the safeguards in place to control such risks;
maintain procedures for monitoring and responding to information security events, which would include software security testing and breach response policies; and
provide training to employees on the importance of and methods for securing customer personal information.

In reviewing data security policies and practices, businesses and institutions should consider implementing the above measures to ensure that confidential and personal information is well protected in light of the growing threat of hacking and the potential vulnerability of computer networks.

Canadian litigation remains pending

As a result of this same data breach, a proposed class action against Target in Canada was filed at the Québec Superior Court in March 2014.³ According to the Québec claim, the data breach affected approximately 700,000 Canadian Target customers.

Footnotes

^{1 In re: Target Corporation Customer Data Security
Breach Litigation, 2015 U.S. Dist. LEXIS 34554 (D. Minn.
2015).}

^{2 The compromised information included names, phone
numbers, mailing addresses, email addresses, credit and debit card
numbers, encrypted PIN numbers, expiration dates and magnetic
stripe information.}

^{3 Zuckerman v. Target Corporation, Québec
Superior Court (Court File No. 500-06-000686-143, 2014).}

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.