Target Settles Litigation Over 2013 Data Breach for $10 million
Yesterday, the parties in the multi-district Target data breach class action litigation submitted to the district court overseeing the litigation a motion for preliminary approval of a $10 million settlement. Target originally announced the data breach on December 19, 2013, at which time it estimated that the breach affected as many as 40 million card holders. Target later announced that the names, mailing addresses, phone numbers and email addresses of up to 70 million individuals may also have been compromised. In December of 2014, the district court denied Target’s motion to dismiss the litigation, rejecting Target’s argument that consumers lacked standing to sue because they could not establish any injury. Settlement followed shortly thereafter. Relevant settlement terms include:
- The settlement class is defined as all persons in the United States whose credit or debit card information and/or personal information was compromised in the breach disclosed on December 19, 2013.
- The $10 million settlement is non-reversionary, meaning no unclaimed amounts will be returned to Target.
- Target will pay all expenses of the administration of the settlement on top of the $10 million settlement amount.
- Class members who submit a valid claim with documentary support of losses caused by the breach (“Documentary Support Claims”) are eligible to recover “Substantiated Losses and Lost Time.” The maximum amount any individual class member submitting a Documentary Support Claim can recover is $10,000. Lost Time is defined as “time spent dealing with each type of Substantiated Loss.”
- Class members that submit a valid claim form without documentary support are eligible to receive an equal share of the settlement amount remaining after payment to both class members that did provide documentary support and the class representatives.
- The Settlement Administrator has sole discretion to evaluate the validity of Documentary Support Claims. To the extent the Settlement Administrator determines that losses are less than the amount requested by the claimant, the Settlement Administrator will notify the claimant who can challenge the Settlement Administrator’s decision with Plaintiffs’ and Target’s counsel.
- Attorneys’ fees will not exceed $6,750,000, which is approximately 66% of the settlement amount.
- Notice of the settlement will be provided by email for all Class Members for whom Target has an email address and Postcard Notice for Class Members for whom Target does not have an email address but for whom Target has a postal address. The Settlement Administrator will also provide notice via publication and establish an Internet website and toll-free number to provide settlement-related information.
- Class Members can opt-out of the settlement only by submitting a signed letter requesting exclusion via U.S. Mail. Class Members cannot opt-out via email or telephone. The settlement can be terminated if there are more than 5,000 valid opt-outs.
- Target is required to implement the following measures and keep them in place for five years: (a) designate a Chief Information Security Officer; (b) maintain a written information security program; (c) maintain a process to monitor and respond to “information security events”; and (d) provide security training to Target employees. The settlement does not appear to include a process to monitor Target’s compliance with this non-monetary relief.
Photo by OTA photos from Flickr