Target data breach price tag $252 million and counting

Remediation and legal challenges continue at Target Corp., in the costly aftermath of a December 2013 data security breach that compromised 40 million customers’ credit and debit cardholder data, as well as an estimated 70 million consumer email and mailing addresses. Target, in a recent statement, estimated costs of the breach to exceed $252 million in fines and legal fees, with no clear end in sight.

The newest addition to a litany of filings was announced March 26, 2015, with preliminary approval of a $10 million dollar settlement in a class action suit filed by Target customers with awards of up to $10,000 per person. Minnesota District Court Judge Paul A. Magnuson set a final hearing date of Nov. 10, the filing deadline for all claims and objections.

A separate ruling by Judge Magnuson in December 2014 paved the way for banks to sue Target, stating that the banks were the true victims in the data breach, since most consumers are fully reimbursed by banks for fraudulent charges on their credit cards. The Judge stated that the ruling’s intent was consistent with “Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.”

Claimants must prove beyond doubt

Settlement terms dictate that claimants must provide proof of expenses and/or lost time caused by the data breach. Plaintiffs can use the settlement’s web portal to submit official claim forms, which must include at least one of the following complaints to meet reimbursement eligibility requirements:

• Unauthorized charges were made on their credit or debit cards that were not reimbursed.
• Time was lost when they had to deal with unauthorized charges.
• Legal counsel or an identity protection specialist was hired to rectify credit reports or to help restore credit worthiness.
• Late fees or higher interest rates were assessed on the cardholder’s account due to unusual account activity.
• The account was frozen, closed, or access to funds was blocked or restricted.
• Additional fees were paid on payment card accounts.

After the initial large payouts are made to claimants, any remaining settlement funds will be evenly disbursed among participating members of the class action suit who did not submit proof of damages. Considering that 40 million people were potentially hacked, if all or even half of those affected chose to participate, the average check would amount to under a dollar per person.

Attorneys expect to fare considerably better than consumers in this case, as settlement terms establish a separate fund of as much as $6.75 million to be set aside exclusively for class action legal representatives.

Target joins nonprofit initiatives

Target has been generally cooperative throughout the remediation process, security analysts have said. Early on, when the company first learned of the data breach, it offered customers who shopped at its U.S. locations up to a year of free credit monitoring and identity theft protection.

Immediately following the breach, Target published a dedicated website to address the ongoing data breach investigation and reassure customers that the company was making every effort to address concerns and improve security standards. In a March 6, 2014, statement, Target stated it officially joined the FSIAC:

“Target has officially joined the Financial Services Information Sharing & Analysis Center (FS-ISAC), a nonprofit private sector initiative developed by the financial services industry to help facilitate the detection, prevention, and response to cyber attacks and fraud activity," the company stated. "Information Sharing and Analysis Centers (ISACs) were created nearly 15 years ago in several industries to help effectively share critical information. As part of its financial operations (Target Bank, a federally regulated entity), Target will now be a platinum member of the organization.”

Ralph Boelter, Target Vice President of Corporate Security, added, "The Target team is looking forward to playing an active part of the FS-ISAC and working alongside these partner organizations toward industry solutions for cyber threats."

In February 2015, Target followed Payment Card Security Data Security Standard guidelines by appointing Mike McNamara as its Chief Information Officer. McNamara, formerly with U.K. retailer Tesco, will oversee a broad effort to protect consumer data, enhance threat detection, and implement ongoing employee protocols and security training.

Target has also made changes to its executive leadership. Chief Executive Officer Brian Cornell, formerly of PepsiCo Americas Foods, has replaced former CEO Gregg W. Steinhafel. In forward-looking statements released with its March 13 annual report, the company stated it expects further litigation from state and federal regulatory bodies, including the Federal Trade Commission, Securities and Exchange Commission, and leading payment card brands.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.