On Wednesday, December 2, 2015, Target agreed to a $39 million settlement with certain banks and credit unions as well as Mastercard Inc. relating to a 2013 data breach of Target’s databases. Additionally, provided the court approves, Target will also pay the U.S. banks’ attorney fees. Although preliminarily approved, the court scheduled a hearing on final approval of the settlement for May 10, 2016.
In 2013, Target disclosed that a data breach had occurred and at least 40 million credit cards had been affected by the data breach. Later, in January 2014, Target disclosed that personal identifying information (or portions thereof) of at least 70 million of its customers had also been compromised. The combination of these numbers caused many reports to contend that any where from 70 to 110 million consumers had been affected by what came known as the “Target 2013 Holiday Data Breach.” Target later provided testimony before the United States Senate on the results of its investigation.
Many banks and credit unions (Umpqua, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain) filed suit contending that they lost millions in reimbursing customers for fraudulent charges and issuing new cards. In 2014, the banks filed a consolidated class action complaint in the United States District Court, District of Minnesota. In their complaint, the banks and credit unions asserted claims of negligence, violation of the Minnesota Plastic Card Security Act, negligence per se, and negligent misrepresentation by omission.
The banks previously rejected a $19 million settlement that Mastercard Inc. had accepted. As far as other litigation following the 2013 Target data breach, Target settled with Visa for $67 million and settled a class action brought by customers for $10 million. Though significant, the combined settlements to banks have yet to reach the 200 million in damages claimed by trade groups.
In August 2015, the Securities Exchange Commission announced it would not pursue an enforcement action against Target. Previously, in 2011, the SEC Division of Corporate Finances provided guidance on its views relating to disclosure of cyber risks and cyber incidents by public companies. Following the disclosure of the Target data breach, the SEC held a roundtable on cybersecurity issues at which Commissioner Aguilar mentioned the Target data breach. Commissioner Aguilar later offered comments on the role of business’ Boards of Directors in addressing cybersecurity risks.
The 2013 Target data breach followed other data breaches of Home Depot, Inc., Neiman Marcus Group Ltd., and P.F. Chang’s China Bistro Inc.
— Charles Lee Mudd Jr. with contributions by Tatyana Ruderman, Associate Attorney, Mudd Law