<i><b>Online Extra:</b></i><br>Target to Pay $18.5M to States over Data Breach

Retail giant Target has agreed to pay a total of $18.5 million in a settlement with 47 states over a 2013 consumer data breach that resulted in over 100 million pieces of credit card or personal information being stolen by hackers. California will receive more than $1.4 million from the settlement, the largest share of any state.

The May 23 settlement came after a multi-state investigation led by the Connecticut and Illinois Attorneys General Offices. That investigation found that hackers accessed Target's gateway server using credentials stolen from a third-party vendor, according to statements from the participating states.

The hackers used those credentials to break into Target's system, allowing them access to a customer service database, into which they installed malware to capture data, including consumers' personal and credit card data, as well as encrypted debit PINs. The attackers made off with more than 41 million customer card accounts nationwide and contact information for more than 60 million customers.

Jon Lambiras, a securities and consumer protection lawyer at Berger & Montague in Philadelphia who was not involved in the Target litigation, said settlements of this nature have historically been rare, but that could change now.

“It very well may foreshadow what could happen in the future, especially since the settlement goes to the attorney generals' budget to fund enforcement actions. It provides an incentive for the AGs to get involved,” Lambiras said.

Deterrence was a major theme brought up by many of the attorneys general who released statements about the agreement.

The $18.5 million settlement with the states, coupled with the $10 million consumer class action settlement approved last month, may seem like a drop in the bucket for a retail juggernaut like Target, but according to Lambiras, the deterrent effect lies in the residual legal and public relations costs companies incur following a data breach.

In a statement, Connecticut Attorney General George Jepsen said the settlement should serve as a wake-up call to companies to tighten their data security. He also gave kudos to Target for working with authorities after the breach.

“Target deserves credit for its actions in response to this breach, including its cooperation with our investigation and negotiations that led to this settlement,” Jepsen said. “I'm also hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers' information.”

California Attorney General Xavier Becerra said in a statement that the settlement “should send a strong message to other companies: you are responsible for protecting your customers' personal information. Not just sometimes — always.”

The only states not participating in the settlement are Alabama, Wisconsin and Wyoming.

According to the statement, the agreement also requires Target to develop and maintain a comprehensive information security program and employ an executive or officer responsible for overseeing it. Target is required to hire an independent third-party to conduct a security assessment of its system.

*****
P.J. D'Annunzio writes for The Legal Intelligencer, the Philadelphia-based ALM sibling of Cybersecurity Law & Strategy. He can be reached at [email protected], and on Twitter @PJDannunzioTLI.

Retail giant Target has agreed to pay a total of $18.5 million in a settlement with 47 states over a 2013 consumer data breach that resulted in over 100 million pieces of credit card or personal information being stolen by hackers. California will receive more than $1.4 million from the settlement, the largest share of any state.

The May 23 settlement came after a multi-state investigation led by the Connecticut and Illinois Attorneys General Offices. That investigation found that hackers accessed Target's gateway server using credentials stolen from a third-party vendor, according to statements from the participating states.

The hackers used those credentials to break into Target's system, allowing them access to a customer service database, into which they installed malware to capture data, including consumers' personal and credit card data, as well as encrypted debit PINs. The attackers made off with more than 41 million customer card accounts nationwide and contact information for more than 60 million customers.

Jon Lambiras, a securities and consumer protection lawyer at Berger & Montague in Philadelphia who was not involved in the Target litigation, said settlements of this nature have historically been rare, but that could change now.

“It very well may foreshadow what could happen in the future, especially since the settlement goes to the attorney generals' budget to fund enforcement actions. It provides an incentive for the AGs to get involved,” Lambiras said.

Deterrence was a major theme brought up by many of the attorneys general who released statements about the agreement.

The $18.5 million settlement with the states, coupled with the $10 million consumer class action settlement approved last month, may seem like a drop in the bucket for a retail juggernaut like Target, but according to Lambiras, the deterrent effect lies in the residual legal and public relations costs companies incur following a data breach.

In a statement, Connecticut Attorney General George Jepsen said the settlement should serve as a wake-up call to companies to tighten their data security. He also gave kudos to Target for working with authorities after the breach.

“Target deserves credit for its actions in response to this breach, including its cooperation with our investigation and negotiations that led to this settlement,” Jepsen said. “I'm also hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers' information.”

California Attorney General Xavier Becerra said in a statement that the settlement “should send a strong message to other companies: you are responsible for protecting your customers' personal information. Not just sometimes — always.”

The only states not participating in the settlement are Alabama, Wisconsin and Wyoming.

According to the statement, the agreement also requires Target to develop and maintain a comprehensive information security program and employ an executive or officer responsible for overseeing it. Target is required to hire an independent third-party to conduct a security assessment of its system.

*****
P.J. D'Annunzio writes for The Legal Intelligencer, the Philadelphia-based ALM sibling of Cybersecurity Law & Strategy. He can be reached at [email protected], and on Twitter @PJDannunzioTLI.