Digital Transactions Authoritative, insightful and timely information for payments professionals
By Jim Daly
Lawyers for Target Corp. and consumers affected by the big discount retailer’s 2013 data breach were scheduled to meet in U.S. District Court in St. Paul, Minn., today to review a proposed settlement under which Target will pay up to $10 million to customers who suffered financial losses from the breach that compromised 40 million payment card numbers and non-card information on 70 million people.
The class-action settlement may be the largest publicly disclosed consumer-related payout ever in the wake of a merchant data breach. Last year, St. Louis-based grocery store chain Schnuck Markets Inc. settled claims for losses arising from a data breach that affected 79 of its stores for $2.1 million.
Under terms of the settlement, Minneapolis-based Target will pay $10 million into an interest-bearing escrow account, according to a court filing detailing the settlement. Target also agreed to appoint a chief information-security officer, maintain a written information-security program, and establish processes to monitor and respond to data-security events. The company also is to provide data-security training to employees.
In addition to the settlement fund, Target is to pay the plaintiffs’ attorneys’ fees and expenses. Target is allowed to object to the plaintiffs’ requested legal fees but may not appeal any payment unless it exceeds $6.75 million.
“We are pleased to see the process moving forward and look forward to its resolution,” a Target spokesperson said in an emailed statement.
The settlement adds to the $162 million tab Target already has incurred from the huge breach, and more bills will be coming. As of Jan. 31, Target had incurred $252 million in total breach-related expenses, offset by $90 million in expected insurance recoveries, the company said in its recently filed annual report for fiscal 2014.
Target still faces investigations by two federal agencies as well as state attorneys general. In addition, three of the four major general-purpose payment card networks, either directly or through merchant acquirers, filed claims last year against Target on behalf of card issuers that sustained fraud or other losses stemming from the breach. Target said it expects the fourth network to also file a claim.
“We expect to dispute the claims that have been or may be made against us by the payment card networks, and we think it is probable that our disputes would lead to settlement negotiations consistent with the experience of other entities that suffered similar payment card breaches,” the annual report says.
Under the proposed class-action settlement, distributions will be made through a “consumer-friendly” process that includes a dedicated Web site established by the settlement administrator, Rust Consulting Inc. Consumers also can make claims by mail.
Consumers can submit claims for reimbursement of up to $10,000. Claim filers must provide “reasonable documentation showing their losses more likely than not arose from the Target data breach (for example, a credit card statement, invoice or receipt),” the settlement document says. Consumers also can seek reimbursement for two hours of lost time, at $10 per hour, for each type of documented loss—for example, resolution of unauthorized credit card charges or replacement of driver’s license.
None of the funds in the escrow account are to revert to Target after payments to consumers and related expenses. Any residual funds would be distributed under direction of the court.
