In March 2015, a court approved a $10M settlement in a consumer class action filed by plaintiffs related to Target’s December 2013 data breach. This news took many in the privacy breach sphere by surprise– the settlement was relatively quick, and the settlement amount was relatively low.
Affected consumers can receive up to $10,000 each for documented losses related to the data breach. Unrecovered funds will not go back to Target – they will be divided equally among consumers who cannot document claims but who are willing to state under oath that they have incurred losses. In addition, Target will fund $6.75M in fees to the plaintiffs’ attorneys. A report on the settlement on BankInfoSecurity.com quotes an attorney representing the plaintiffs saying that the entire settlement would likely cost Target about $25M, including legal fees and administrative costs.
This case is by no means the biggest component of Target’s data breach costs. In a 10K filing on March 13, 2015, Target said that as of January 31, 2015 they had “incurred $252 million of cumulative Data Breach-related expenses, partially offset by $90 million of expected insurance recoveries, for net cumulative expenses of $162 million.”
Those costs likely include an extensive forensic IT investigation, the cost of notifying up to 110M affected individuals and offering them credit monitoring insurance, and early legal bills to defend the consumer class action as well as lawsuits from multiple financial institutions arguing that Target owes hundreds of millions in damages for the cost of reissuing credit cards.
Target’s reported costs don’t yet factor in the cost of resolving those bank disputes, nor things like the reputational harm caused by the breach or the lost profits/sales Target suffered in the months following the breach.
Target has also committed to upgrading its POS systems on an accelerated schedule, although most retailers are expected to implement the more secure “chip and pin” technology by October 2015, when banks start pushing liability for fraud back to merchants using the older magnetic stripe POS systems.
But it was surprising to see this consumer case settle so quickly – and for a relatively low amount. Data breach “calculators” offered by many of the leading cyber insurers would predict that the cost of resolving consumer litigation (defense + settlement) in a breach involving similar parameters could be more than $150M. This might be a bit of good news for companies facing massive consumer data breaches.
To date, it has been difficult for plaintiffs to make the argument that consumers suffer any real harm in a data breach. Credit card companies reimburse their customers for fraudulent charges. And with a steady drumbeat of data breaches hitting the news daily, it can be difficult to conclusively tie a case of identity theft to a particular breach – let alone eliminate the possibility that criminals obtained the critical PII through a single source. Identity theft could stem from a lost wallet, or from a consumer logging onto critical websites while using public wifi.
Consumers have also become fatigued with data breaches in recent years. Most of us have received letters in the mail from multiple companies warning of a potential unauthorized access of our personal information (I can personally think of four different companies that have contacted my family in the last 18 months). Many come with offers of identity monitoring products and usually profess that they were the target of a “sophisticated” cyber attack. [I have yet to see a company admit they were duped by a “novice” or even “competent” attack.]
Accordingly, courts had been largely unsympathetic to consumer lawsuits alleging financial harm and personal injury to consumers.
In 2014, however, 5 cases settled, potentially breaking that logjam. With the exception of Sony, all involved relatively small numbers of consumer data (millions, not tens of millions). With the massive Target data breach in 2013, and the onslaught of media attention, many speculated that this case might be different. And while 10M is a new high water mark, the number is consistent with the potential costs on a per-consumer basis.
|Company||Date of Breach/Settlement||# of Records||Type of Records||Settlement Fund|
|AvMed (FL)||2010/Jan 2014||1 Million||Social Security Numbers and Health Records||$3.1 Million|
|Stanford University (CA)||2009/April 2014||20,000||Health Records||$4.1 Million|
|Schnucks (MO)||2012/July 2014||2.4 Million||Credit Cards||$2.1 Million|
|Vendini||2013/July 2014||3 Million||Credit Cards and other PII||$3 Million|
|Sony||2011/July 2014||77 Million||Login Credentials, PII and Some Credit Cards||$15 Million|
|2012/August 2014||6.4 million (incl 800,000 premium subscribers)||PII (login credentials only)||$1.25 Million|
|40 Million||Credit Cards and other PII||$10 Million|
Safe to say that the cost of a data breach can still be massive. And with consumer cases still pending in mega-breaches like Home Depot, Sony, and Anthem, we could see a different direction. But for companies looking for a bright side in the mess of data breach exposure, this $10M settlement just might be it.