Target Corporation has reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states' investigation into the retail company's 2013 data breach, which affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. Target’s settlement payout represents the highest valuation of a multi-state data breach investigation to date.
The states' investigation found that in November 2013, cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target's system, which allowed the attackers to access a customer service database and to install malware on the system that was used to capture consumer data, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs.
Under the settlement document, Target is required to:
- develop, implement, and maintain a comprehensive information security program;
- employ an executive or officer who is responsible for executing the plan;
- hire an independent, qualified third-party to conduct a comprehensive security assessment:
- maintain and support software on its network for data security purposes;
- maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
- segment its cardholder data environment from the rest of its computer network; and
- undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication.
California Attorney General Xavier Becerra said that California will be receiving more than $1.4 million from the settlement, the largest share of any state. California’s complaint alleged that Target violated California Civil Code section 1798.81.5 by failing to implement and maintain reasonable security procedures and practices appropriate to protect the personal information of California residents that Target owned.
Illinois will receive more than $1.2 million from the settlement, according to Attorney General Lisa Madigan. "Today’s settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers," Madigan said.
New York Attorney General A.G. Schneiderman said the settlement will bring "over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach." He added that "New Yorkers need to know that when they shop, their data will be protected."
New Jersey will receive $680,411 from Target, Attorney General Christopher S. Porrino announced. "Major retailers—including Target—routinely ask their customers to entrust them with personal information in service of payment card contracts, mailing lists, e-coupons and other promotions," Porrino said. "But, if retailers are going to solicit such personal information and retain it in a data base, they have a duty to be vigilant about securing that data base."
Massachusetts will receive $625,000, Attorney General Maura Healey announced. "Consumers should be able to shop without fear that their credit card information will be stolen," said Healey. "This settlement makes clear that we expect retailers to take meaningful steps to protect consumers’ credit and debit card information from theft."
Pennsylvania Attorney General Josh Shapiro said 1.6 million consumer transactions affected by the Target data breach took place in Pennsylvania. His state’s share of the settlement is $469,000. "The long-term value of this settlement is the reform effort Target must undertake to protect the personal financial data of Pennsylvania consumers and consumers across the country," said Shapiro.
Michigan will receive nearly $400,000 from the settlement, according to Attorney General Bill Schuette. "Keeping customers’ personal information safe must be a top priority for all retail companies," Schuette said. "Target’s data breach broke some of the trust they had built with consumers and hopefully their willingness to change their security practices will restore faith in the company."
Georgia Attorney General Chris Carr said, "It is important to remember that in a world where cybersecurity threats are evolving, so too must our efforts to combat them." His announcement noted that Georgia will receive $394,592.86 from the settlement.
For more information about data breaches and cybersecurity, subscribe to the Banking and Finance Law Daily.