By Daniel L. Farris
A settlement filed Wednesday provides that Target Corp. will pay $39.4 million to the banks and credit unions who brought class action claims against the retailer for alleged losses the financial institutions suffered as a result of Target’s 2013 data breach. The breach, which impacted as many as 110 million individuals, compromised as many as 40 million credit cards.
This most recent settlement comes on the heels of a $67 million settlement with Visa, and a $10 million settlement with consumers, both earlier this year. The most recent settlement brings Target’s total costs to a staggering $290 million. Target expects insurers to reimburse it for only $90 million of that total, and shareholder derivative lawsuits are still pending, as well as regulatory enforcement and investigation actions by the FTC and various state attorneys general.
While financial institution settlements now top $100 million, trade groups representing banks and credit unions have argued that the Target breach actually cost their members more than $200 million.
Many will recall that the Target breach began after an HVAC vendor was hacked, providing cyber criminals access to Target’s backend system through its vendor interface. While the breadth and scope of Target’s losses are somewhat mind numbing, this settlement should serve as yet another reminder why a strong vendor management system including privacy and data security policies and audits is especially important in this day and age.
For more information about drafting vendor data security policies, or for advice on how to audit vendor compliance, please contact the author or a member of the Polsinelli Privacy & Data Security Team.