Target, the discount retailer, has settled a multi-state credit card data breach case for $18.5 million dollars. The case arose in 2013 during the holiday season when the credit information of over 40 million Target customers was compromised due to inadequate data security by the store.
Statutes in most states mandate that businesses implement and maintain reasonable security procedures and practices to protect consumer information they collect from unauthorized access or disclosure. The lawsuit accused Target of failing to execute and maintain the necessary security practices to protect personal consumer information.
Per the complaint, “an intruder (or intruders) gained access to Target’s remote-access system and deployed memory-scraping (or RAM-scraping) malware to Target’s point-of-sale systems. The malware was designed to capture, in real time, payment card data from the magnetic strip of credit and debit cards, which the attacker eventually exfiltrated [smuggled] out of Target’s internal network.” As a result, some Target shoppers reported fraudulent charges on their payment cards.
Components of the settlement agreement, in addition to the $18.5 million Target will pay, include the following.
1) A permanent injunction (a court order requiring a party to do a specified act) requiring Target to comply with state laws that mandate companies develop and comply with security practices appropriate to protect personal information of its consumers.
2) Within 180 days after the effective date of the settlement, Target must develop, implement and maintain a comprehensive information security program reasonably designed to protect the security of personal information it collects. The program must be in writing and appropriate for the size and complexity of Target’s activities, and the sensitivity of the personal information the company maintains.
3) Target will employ an executive or officer with appropriate background and experience in information security who will be responsible for implementing and maintaining the information security program. The position’s responsibilities include advising Target’s chief executive officer and its Board of Directors about the following: “Target’s security posture, security risks faced by Target, and security implications of Target’s decisions.”
4) Target is required to ensure that its information security program receives the resources and support (including money and attention from senior officers) reasonably necessary for the program to succeed.
5) Target must develop and implement relevant policies and procedures for auditing its vendors to ensure their compliance with Target’s information security program.
6) Target must submit to an audit of the company’s information security program to be performed by a qualified and certified third party.
The requirements imposed on Target as part of the settlement establish new industry standards for companies that process credit cards. The message to other companies that collect credit card information is that they are responsible for protecting their customers’ personal information. Such companies will be held accountable if they fail to protect that information.
At the time of the security breach Target operated 1,793 stores in 49 states and the District of Columbia.
Target is not the only company to discover that settling data breach cases is costly. In March, 2016, Home Depot agreed to pay $19.5 million to compensate approximately 45 million consumers impacted by a huge data breach. In April 2018 Sony Pictures paid $15 million to settle a class action based on a data breach.
For more information, click here.
1) What is the lesson from this case for businesses other than Target?
 See, for example, California Civil Code, section 1798.81.5, subdivision (d)(1).