Early news reports indicate that Target will pay $10 million to settle a class action lawsuit with the “Consumer Plaintiffs” related to the 2013 data breach at its stores.

The consumer plaintiffs will be paid settlement proceeds through a dedicated website. The proposed settlement also includes a provision requiring Target to adopt new security measures including appointing a chief information security officer, implementing a written information security program and providing additional security training to its employees.

Consumer plaintiffs will be able to submit claims for their damages which can include the following:

  • Documentation for losses that they can reasonably attribute to the data breach. For example, this may include a credit card statement, invoice or receipt showing an unauthorized charge related the breach.
  • Documentation for losses that include two hours of lost time at $10 per hour for each “documented loss they incurred.” For example, this would include time spent correcting unauthorized charges or obtaining a new driver’s license.

The settlement also requires Target pay the consumer plaintiffs’ attorneys’ fees. Target cannot contest any amount of attorneys’ fees exceeding $6.75 million. The Class Action Plaintiffs’ Memorandum In Support of Motion for Certification of a Settlement Class and Preliminary Approval of Class Action Settlement provides further details of the proposed settlement.

This settlement comes after a U.S. District Court judge rejected Target’s argument that the consumer plaintiffs lacked standing because they could not establish that they suffered an injury from the December 2013 breach of their personal information.

The Memorandum submitted to the District Court is a worthwhile read with a significant amount of valuable information. For example, in a discussion on Page 9 about the class action plaintiffs’ investigation of the breach, the following sources are identified:

Statements Target made on its website and in communications to its customers;

  • Examining iterations of Target’s privacy policy over a number of years preceding and during the period of the breach;
  • Analyzing testimony before the breach and reports issued by Congressional committees;
  • Reviewing news articles, including investigative reports, examining the causes of the data breach;
  • Evaluating analysts’ reports;
  • Reviewing Target’s annual reports and submissions to federal agencies;
  • Conducting factual research into Target’s data security practices, including public information about past breaches of Target and other retailers’ systems;
  • Researching warnings and alerts issued by credit card issuers;
  • Studying industry standards governing data security;
  • Evaluating studies examining data security practices, breaches, risks and the impact of breaches; and
  • Communicating with knowledgeable consultants and experts on data security.

This list, drawing from resources existing both before and after Target’s data breach, provides further evidence the importance of preparing for a breach before it happens.

Tressler will continue to provide updates regarding the litigation involving the consumer plaintiffs as well as that involving the financial institution plaintiffs.

This settlement does not include the “Financial Institution Plaintiffs” in the suit. Target sought to dismiss banks claims, but the District Court allowed the banks to proceed. Tressler will continue to follow the proceedings regarding this matter.