Target reaches $18.5 million settlement with states over data breach

Target Corp. has agreed to pay $18.5 million to 47 states in order to settle one of the last remaining legal cases hanging over it stemming from its massive 2013 data breach.

The agreement, reached with the attorneys general's offices of those states, is the largest multistate data breach settlement to date and includes security provisions that Target must meet.

"This is a sign that state regulators intend to be aggressive about data security regardless of what the federal government may or may not do," said William McGeveran, a law professor who specializes in data privacy at the University of Minnesota.

The settlement with the states is one of several compacts Target has reached with various parties, including banks and other financial institutions, after cyberthieves infiltrated its systems in November 2013. Payment card information of 40 million customers and personal information of 60 million customers were breached.

At the time, it was one of the biggest data breaches of its kind, but has since been followed by many others.

Because there is no unified data security law, multiple parties often sue in cases of data breaches, McGeveran said.

"From Target's point of view, this is less about paying a big damages award that they already assumed they would be paying and more about clearing the decks so it's not hanging over the company's head any longer," he said.

With data breaches coming at greater frequency these days, he said, there is likely to be even bigger settlement awards in the future.

"Today's settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers," Illinois Attorney General Lisa Madigan, who co-led the investigation, said in a statement. "People must remain vigilant about activity on their credit and debit cards as it's not a matter of if but when you are going to be a victim of identity theft or a security breach."

Minnesota will get $283,736 for its portion of the settlement, according to the state attorney general's office.

Target has already taken steps after the data breach to shore up its systems. Jenna Reck, a Target spokeswoman, said the retailer will not have to put into place any additional security measures as a result of this settlement.

She added that the company's monetary payout to the states is already reflected in the data breach liability reserves that Target previously recognized and disclosed.

"We're pleased to bring this issue to a resolution for everyone involved," she said in a statement.

In its most recent annual report, Target said it has resolved the "most significant claims" related to the breach. The company said it has incurred $292 million of cumulative breach-related expenses, which were partly offset by insurance recoveries of $90 million for a net of $202 million.

In addition to this agreement, Target reached a $10 million settlement in March 2015 in a class-action consumer lawsuit. But that settlement has not been approved by the court yet, so consumers have not yet received compensation from the fund. A member of the fund has objected to the agreement, saying consumers were not getting enough and holding up the case. Target has also reached various agreements with financial institutions.

Among the steps Target took after the data breach was hiring Brad Maiorino to be its first chief information security officer. Maiorino left the company earlier this year to take a job at consulting firm Booz Allen Hamilton. Target has since promoted Rich Agostino, who was on Maiorino's team, to the top security post.

Kavita Kumar • 612-673-4113