In what appears to be the closing act of the saga that is the Target data breach, on May 23 the retailer announced it had reached a settlement agreement with a coalition of 47 states’ attorneys general. Pursuant to the settlement, Target will pay $18.5 million to the states in rough proportion to their population (California will receive the largest distribution, with $1.4 million). The settlement represents the largest multi-state data breach settlement to date, although, unfortunately, it is almost certainly only a matter of time before it is eclipsed.
Target discovered the breach during the 2013 holiday shopping season. Investigations into the breach revealed that hackers gained access to a database containing customer payment card information — including customer names, card numbers, expiration dates, security numbers and debit card PINs — by breaching one of Target’s third-party vendors. The breach impacted the payment card information for over 40 million consumers, along with the email and physical mailing addresses for another 70 million consumers.
Target’s investigation also revealed that its computer security system had detected suspicious activity that turned out to be the hackers uploading the tools used to compromise the consumer data. The alarms raised by this activity were logged, but no action was taken in response — thereby allowing the breach to proceed.
While the payment may receive the most attention, the settlement agreement also requires Target to implement a comprehensive data security plan, with particular emphasis on buttressing vendor security. Key points of the plan must include:
- Developing risk-based policies and procedures for auditing vendor compliance with the program;
- Creating an executive-level position responsible for executing the security plan who will have direct access to the CEO and board to advise on the company’s compliance with the plan (not so unlike the much-buzzed-about requirement in the EU General Data Protection Requirement that requires some firms to designate a data protection officer); and
- Retaining a third party to assess Target’s plan and its implementation.
Target offers a cautionary tale to any company that handles sensitive information. As we have previously posted, Target has paid settlements to impacted financial institutions, consumers and now, governmental bodies totaling over $140 million. All told, Target reports it has incurred costs of over $292 million from the data breach, which have been partially offset by insurance recoveries of $90 million.
The Target data breach exemplifies both the need for, and cost-effectiveness of, having rigorous data security and breach response plans in place prior to an incident, and a thorough assessment of insurance coverage available for any breach. It also demonstrates the potential vulnerabilities introduced by third-party vendors and the importance of ensuring that third parties comply with an overall data security plan. Finally, and perhaps most importantly, Target’s situation illustrates that even the best data security plans and tools are of limited utility if not effectively implemented and executed, both within the company and throughout its supply chain.
Mark Mattingly and Matt Hafter are attorneys in Thompson Coburn’s Cybersecurity practice.