By now, most people are familiar with the 2013 data breach reported by Target. Described as one of the largest data breaches in U.S. history, Target acknowledged that hackers gained access to credit card and debit card data from up to 40 million of its customers. In the time since the breach, much attention has been given to its aftermath and what impact it would have on the future of cybersecurity. That future appears to have arrived, at least in part, with the announcement of a record-setting settlement between Target and forty-seven states, as well as the District of Columbia.
Under the settlement agreement, Target will pay $18.5 million to the participating states, which is in addition to $10 million that Target has already paid to consumers in a settlement of a private class action lawsuit and $39 million Target paid to several banks that serviced MasterCards used by Target’s customers. Yet, the settlement is noteworthy for several reasons beyond the staggering financial component, and the implications that are left behind offer some useful guidance for companies hoping to avoid suffering a similar fate to Target’s.
First, anyone looking for direction on how to structure their own company’s internal cybersecurity protocols and defenses in a way that would ostensibly comply with the standards acceptable to their respective state’s Attorney General can now look to the settlement agreement as a model (except if you live in Alabama, which did not participate in the settlement as it lacks a state data breach notification law, or Wisconsin or Wyoming, which chose to not participate in the settlement). While the settlement is not binding on anyone but Target, it represents a joint effort by nearly every state’s Attorneys General to insure future cyber-breaches of the same magnitude as Target’s do not occur. This means that it is likely a strong indicator of what state enforcement agencies are going to look for in future investigations when determining if a company had proper cybersecurity safeguards in place. For instance, the agreement mandates that Target implement corrective measures such as maintaining appropriate encryption policies, implement password rotation policies and two factor authentication and even segmenting cardholder data from the rest of Target’s computer network. Incorporating such protections into your company’s cybersecurity and data privacy protocols is a sound practice and now appears to be one that carries at least some unofficial governmental approval.
Second, the settlement may establish a range of the extent of damages that can be incurred by a company suffering a cyber-breach of similar scope as Target’s. In obtaining cyber insurance, one question that repeatedly is asked by companies is how much coverage is enough? While no one can know the answer to that question with true exactitude, the Target settlement provides a little guidance, and if nothing else, leaves us with the impression that whatever levels of coverage a company may have and depending on the breadth of its business, the company may need more than expected. Including the settlement with the forty-seven states, the private class action and the bank settlement, Target incurred damages of no less than $67.5 million.
Third, expect more action from the state Attorneys General that participated in the settlement in investigating breaches. Consider that each state that participated in the settlement received a portion of the $18.5 million. For example, New Jersey, which was part of the seven-state executive committee that investigated the Target breach, received $680,411.00 from the settlement funds. NJ.Com reported that the entirety of those funds will go towards attorney’s fees, administrative costs and consumer protection law enforcement funds, among other purposes. The funds will not be shared by the consumers affected by the breach and instead can be used by the State of New Jersey to support future cyber-incident investigations. So this may mean that the Attorneys General of the states participating in the settlement have just funded their budgets to allow them to pursue more investigations.
The Target settlement agreement provides an opportunity to learn what to expect from future state investigations into cyber-breaches. Based on the enormous financial implications of the settlement, your company cannot afford to ignore the settlement.