According to court documents, Target Corp and consumers have agreed on a $10 million settlement to end a class-action lawsuit filed after an enormous data breach during the 2013 holiday shopping season.
If approved, the settlement would be the second-largest related to a data breach. Last year Sony agreed to a $15 million settlement in a class action lawsuit from its breach in 2011.
The Target settlement comes just several months after it was denied a motion to dismiss the litigation against it on the grounds, at least in part, that the plaintiffs did not satisfactorily prove they had suffered any injury as a result of the breach.
Now consumers will have to demonstrate harm by documenting direct losses from the breach, such as fraudulent charges or cost to replace identification, or time spent straightening out the consequences of the breach, such as waiting for a new driver’s license.
Lon A. Berk, partner at law firm Hunton & Williams, told Advisen the settlement agreement “appears to be a good deal for Target and its insurers–who avoid the costs of expensive and protracted litigation–as well as the class representatives–who will receive service payments to be fixed by the court.”
There is also some finality for insurers in knowing that even if the number of approved claims and other costs does not reach $10 million, the money does not go back to Target. It is distributed by court order.
Berk also mentioned it seemed like a good deal for class counsel, who appear to be seeking more than $6.7 million in fees.
Individual victims of the breach can get up to $10,000 in damages from the interest-bearing escrow account in which Target will keep the settlement. Claims will be processed online. However, experts tell Advisen individuals from the group of 110 million potentially affected customers will not have losses anywhere near $10,000, especially since many have had fraudulent charges reimbursed by card companies.
“Thus, when you look at it, the settlement confirms arguments by defense counsel that there is not significant harm to consumers arising out of these sorts of events,” Berk said.
It should be noted that Target’s motion to dismiss another class-action lawsuit against financial institutions was also denied late last year. Banks are seeking damages related to the costs of issuing new payment cards and reimbursing fraudulent charges. This case may be even more financially damaging to Target. Banks have said it cost hundreds of millions of dollars to fix what happened to consumers after the breach. At least 40 million payment cards were exposed as part of the breach.
The Target case caught the attention of many when its motion to dismiss litigation from consumers was denied because courts had previously dismissed data breach class actions because plaintiffs could not demonstrate harm since fraudulent charges are rectified by banks and only a small percentage of people are victimized by identity theft, explained Roberta D. Anderson, partner at law firm K&L Gates.
“At least until 2014, it’s fair to say that a company sued in Target-style data breach class-action litigation could reasonably expect that the litigation would be dismissed at the pleadings stage for lack of standing,” Anderson said.
But the outcome of the Target consumer litigation–though it was allowed to proceed farther than others–is still what it is. Straight math amounts to about 9 cents per person.
“Even if plaintiffs get past a motion to dismiss based on lack of standing, there are lots of other procedural and substantive hurdles to go through. But, clearly, from a defense perspective, the company is looking at significantly increased defense costs if the cases proceed,” Anderson told Advisen. “So, if a case clears the standing hurdle, it often makes sense to settle.”
However, the settlement should do nothing consumers’ ability to prove harm and/or damages, said Scott N. Godes, partner at Barnes & Thornburg.
“The case never made it to a stage where there was a showing of actual harm, ” he told Advisen “At this point, there were only allegations of harm. The fact the case settled should not affect the state of the law and the bar that plaintiffs must overcome. Policyholders and insurance companies sometimes factor in the cost of defending actions, and financial certainty, when trying to reach a settlement. By settling, the case left unresolved whether any claimant could make an actual showing of harm that would warrant the recovery of damages.”
The settlement also requires Target to appoint a CISO, maintain a written information security program, develop a process to monitor information security events, and train employees on security. Godes said he wondered if insurance policies cover these costs.