Target proposes $10 million settlement for 2013 data breach

Target Corp. (NYSE:TGT) has proposed a $10 million settlement of a class action lawsuit regarding the high-profile 2013 data breach that compromised the personal and credit card information of as many as 110 million people, according to court records.

The proposal calls for Target to pay individuals up to $10,000 in damages and implement additional data security measures. These would include the appointment of a chief information security officer and maintaining a written information security program.

The Target data breach was the first of many to be widely publicized. The breach impacted the credit card information of 40 million consumers and the personal data of as many as 70 million additional people.

The retailer would deposit the $10 million into an interest-bearing account, the Wall Street Journal reported, and use the money to pay the claims of class members, as well as any other court-approved awards. Class members who submit documentation through a dedicated website will be eligible for the reimbursement of up to $10,000.

The settlement was negotiated with attorneys representing consumers claiming their information was compromised in the breach, and they filed to the U.S. District Court in Minnesota for approval.

"We are pleased to see the process moving forward and look forward to its resolution," said Molly Snyder, a Target spokesperson.

However, it will be difficult for victims of the breach to collect a significant portion of the $10 million proposed settlement, USA Today reported, citing information security experts. The burden of proof is on the consumers, who must submit documentation of loss on a claims form.

Target may end up paying out only part of the $10 million because the money is available only to "those consumers who can demonstrate loss," said Sasha Romanosky, an economics of information security researcher with the RAND Corp. But court documents said that no portion of the $10 million fund will revert to Target.

It's difficult for consumers to prove harm due to a breach, according to Romanosky, as well as Craig Newman, managing partner at law firm Richards Kibbe & Orbe. Often credit card companies will not charge consumers for fraudulent purchases if the issuer catches it first, or if the consumer reports it in a reasonable time.

Consumers that did suffer fraudulent charges on their credit cards that they paid for will have to provide paperwork that they documented that they hadn't made the charge, and that they had tried to correct it and failed.

"The law generally does not compensate consumers for their hassle," Newman says. "In terms of being able to document that and say, I as a consumer have suffered legal damages, that's a very tough putt for a consumer."

Some aspects of the proposed settlement seem unique, said Mark Melodia, founder of the information technology, privacy and data security practice at the law firm of Reed Smith. "First, the amount of attorneys' fees contemplated by this deal is at the high end of the historical range, even for multi-district litigation proceedings," Melodia said, telling USA Today that he had not studied the settlement.

"Second, it is unusual for a major company to agree to follow certain security practices dictated by a settlement with private class action lawyers and then imposed by a final Order of the Court," he said.

For more:
-See this Wall Street Journal article
-See this USA Today article and this related USA Today article

Related stories:
Supervalu reports data breach
How to prevent Target-like data breaches
Health insurer Anthem hit by huge data breach
Target catches a break in data breach lawsuit
Retail security issues move from CIO to the C-suite