Target has reached a settlement of the class actions brought against it as a result of the data breach the company suffered in November 2013. On March 19, 2015, a US court granted preliminary approval to a proposed settlement that would see Target pay US$10 million to class members as well as implement measures to better protect customer data (see In re: Target Corporation Customer Data Security Breach Litigation, 2015 U.S. Dist. LEXIS 34554 (D. Minn. 2015)). The final hearing to approve the settlement will be in November 2015.
Under the proposed settlement, affected customers are eligible for damages up to a maximum of $10,000, provided they have documentary evidence of actual losses that were ‘more likely than not’ caused by the data breach. The settlement also requires Target to implement business measures to protect customer data. The company has agreed to appoint a Chief Information Security Officer, maintain an information security program and procedures for monitoring and responding to information security events. It has also agreed to implement employee training about why and how to secure customers’ personal information.
The costs of the settlement are a drop in the bucket compared to the initial costs of responding to the breach that Target reported last August. At that time, those costs were reported at $148 million. Release of that information was quickly followed by a drop in Target’s share price (see: http://www.forbes.com/sites/samanthasharf/2014/08/05/target-shares-tumble-as-retailer-reveals-cost-of-data-breach/).
There is a high price to data breaches. Being proactive, rather than reactive will reduce that risk. Organizations should implement information management and security measures before those unnecessary costs are incurred.