Authored by Scott Hall
Pursuant to a settlement agreement with the Attorneys General of nearly all 50 states1, Target Corporation will pay $18.5 million to settle claims brought by the state Attorneys General arising from the November 2013 data breach – involving the credit or debit card information of approximately 40 million Target customers – caused by cyberattacks on Target’s network.
The settlement is the latest in a string of settlement payments made by Target as a result of the breach, which includes payments of over $100 million to banks and credit/debit card companies for fraudulent charges and other damages, as well as a $10 million payment to settle a civil class action brought by affected customers. In total, Target reports that, to date, the cost of the data breach has exceeded $200 million.2
Notably, the settlement agreement with the Attorneys General goes beyond mere payment of monetary penalties. It requires Target to take specific steps to ensure implementation of a comprehensive information security program aimed at avoiding future breaches. The settlement agreement requires Target to implement this new security program within 180 days of the effective date of the agreement, and mandates that Target, among other things: (1) maintain a written policy that adequately addresses the administrative, technical and physical safeguards for personal information maintained by Target, taking into account Target’s size, the nature of its operations, and the sensitivity of personal information maintained by it; (2) employ an executive or officer with an appropriate background or experience to implement and maintain the program; and (3) maintain encryption protocols and related policies reasonably designed to protect personal information. Target is also required to separate its customer credit and debit card data from the rest of its computer network and to test for, and correct, vulnerabilities in its computer network.3
Within one year of the settlement, Target must obtain a third-party “information security assessment” to review and report on the implementation of the new information security program. The Attorneys General have the right to initiate a proceeding for any failure to comply with the provisions of the settlement agreement, as well as for any other failure to comply with applicable data security laws. In other words, Target’s implementation of these data security policies and procedures will be under a regulatory microscope for the near future.
The moral of the story for other companies, as made clear in a statement by Connecticut Attorney General George Jepsen, is that “Companies across sectors should be taking their data security policies and procedures seriously. Not doing so potentially exposes sensitive client and consumer information to hackers.”4 This is true even for companies that do not face the significant exposure of a large retailer like Target. Regardless of company size or industry, the settlement sends a message that companies must either implement reasonable and adequate data security safeguards, or risk a breach that could result in government implementation and oversight of a much more rigorous and burdensome program.
In sum, this is reminder that now is a good time for all companies to review their data security policies and programs, data breach response protocols, and compliance with applicable consumer protection and data security laws, to ensure that they do not become the next example of what not to do.
1.Alabama, Wyoming and Wisconsin are not parties to the settlement. A copy of the settlement agreement is available at: http://www.ct.gov/ag/lib/ag/press_releases/2017/20170522_targetmultistateavc.pdf
2.See “Target in $18.5 million multi-state settlement over data breach” (Reuters May 24, 2017), available at: http://www.cnbc.com/2017/05/24/target-in-18-point-5-million-multi-state-settlement-over-data-breach.html
3.Certain of the specific data security requirements expire after five years (Settlement Agreement ¶ 32.)