Data Breach Leads to $18.5 Million Settlement for Target Corp.

Author: Michael Cardman, XpertHR Legal Editor

May 25, 2017

Target Corporation will pay out $18.5 million to settle claims that its failure to "provide reasonable data security" resulted in the theft of credit card and debit card information for more than 40 million customers in 2013.

"This should send a strong message to other companies: you are responsible for protecting your customers' personal information," California Attorney General Xavier Becerra said in a statement. "Not just sometimes - always."

Many states have laws that dictate:

  • What personal information (PI) may be collected about individuals;
  • How that information may be shared, such as through encrypting or redacting the information; and
  • How the information should be disposed of when it is no longer needed.

These protections also apply to information collected about employees.

Even if all of the correct steps are taken, a security breach could allow an outside party to obtain PI. In that event, most states also have laws that detail exactly how a breach should be handled, with requirements for the timely notification of affected residents and sometimes also for the provision of services to mitigate any damages.

In addition to paying $18.5 million to the attorneys general of California and several other states that filed similar allegations, Target agreed as part of the settlement to take measures to prevent future breaches. Target admitted no wrongdoing or liability in the settlement.

"We've been working closely with State Attorneys General for several years to address claims related to Target's 2013 data breach," Target said in a statement emailed to XpertHR. "We're pleased to bring this issue to a resolution for everyone involved. The costs associated with this settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed."