Remember the massive data breach incident at Target stores during the holiday season of 2013? It resulted in a huge class action suit that may soon be settled for $10 million. Could this be the cautionary tale to get retailers to take data security more seriously?
The Target breach compromised the personal information of about 40 million credit and debit card accounts and 110 million customers. Its size and very inopportune timing sent shivers down corporate spines.
Now, in a proposed settlement, Target has agreed to pay up to $10 million in claims. See In re Target Corp. Customer Data Security Breach Litig. (D Minn, Mar. 18, 2015, No. MDL No. 14-2522 (PAM/JJK)). The district court judge gave preliminary approval of the settlement under which customers affected by the breach would be able to file claims for up to $10,000 as soon as April 30.
Now, $10 million is a lot of money, but it’s not very much for a breach affecting 110 million customers. For example, if every claimant was qualified to receive $10,000, Target would only be able to pay 1000 claims. But that won’t likely be an issue. As in many other data breaches to date, it will be difficult for customers to meet their burden of proof to show actual harm.
It won’t be enough for a customer to assert that his or her credit or debit card was exposed; rather, a customer will have to show proof of actual harm and will be required to do that by providing documentation of actual losses due to:
- Unauthorized charges;
- Time spent addressing those charges;
- Fees to hire someone to correct their credit report;
- Resulting higher interest rates or fees on the accounts;
- Credit related costs; or
- Costs to replace identification such as a driver’s license, SS number, or phone number.
So it’s safe to assume that very few of the 110 million customers will get much, if any, settlement money.
The proposed settlement also requires Target to appoint a chief information security officer, keep a written information security program, offer security training to its workforce, and implement a process to monitor data security events and respond to threats. This part of the settlement could affect the most meaningful change in Target’s data security and hopefully influence other companies to improve security.
The amount and nature of this settlement is fairly typical in data breach class actions, but it’s relatively small compared to the breach-related losses Target itself has already suffered—reports suggest that Target spent up to $252 million last year for related expenses. And it will be quite a trick for customers to document their losses sufficiently to recover any damages at all. But maybe this suit and settlement will make future customers safer at Target and other stores as the costs of these huge data breaches in legal fees, settlements, and all-important customer confidence leads to improved data security.
Get practical guidance on the challenges involved in bringing and recovering in data breach class action lawsuits in CEB’s Privacy Compliance and Litigation in California, ch 12. On viruses and other network disruptions, turn to CEB’s Internet Law and Practice in California, ch 18. Also check out CEB’s program Technology Law Forum: Privacy and Data Security Issues Related To Use of Customer Information, available On Demand.
Other CEBblog™ posts you may find interesting:
- Pharmacy Liable for Employee’s Illegal Peek at Customer Prescription Records
- A Victory for Personal Information Privacy
- Revenge Porn Victims Have New Rights
© The Regents of the University of California, 2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.