A look inside the proposed Target class-action settlement with consumers

Early news reports indicate that Target will pay $10 million to settle a class-action lawsuit with the “Consumer Plaintiffs” related to the 2013 data breach at its stores. It appears this settlement does not include the “Financial Institution Plaintiffs” in the suit.

The Class Action Plaintiffs’ Memorandum In Support of Motion for Certification of a Settlement Class and Preliminary Approval of Class Action Settlement provides further information on the details of the proposed settlement. The consumer plaintiffs will be paid settlement proceeds through a dedicated website.

The proposed settlement also includes a provision requiring Target to adopt new security measures including appointing a chief information security officer and creating, implementing a written information security program and providing additional training to its employees. Consumer plaintiffs will be able to submit claims for damages of up to $10,000 on the condition they provide:

• Documentation for losses that they can reasonably attribute to the data breach. For example, this may include a credit card statement, invoice or receipt showing an unauthorized charge related the breach.
• Documentation for losses that include two hours of lost time at $10 per hour for each “documented loss they incurred.” For example, this would include time spent correcting unauthorized charges or obtaining a new driver’s license.

The settlement also requires Target pay the consumer plaintiffs’ attorney fees, and the retailer will not be able to contest any amount of attorney fees that does not exceed $6.75 million. The motion to approve the settlement was taken under advisement by Judge Paul Magnuson on March 19.

This settlement comes after a US District Court judge rejected Target’s argument that the consumer plaintiffs lacked standing because they could not establish that they suffered an injury from the December 2013 breach of their personal information.

While the settlement may be beneficial to the litigants, it is unfortunate that we will not be able to see how this data breach case would have played out from the consumers side. Of course, we will still have the litigation involving the Financial Institution Plaintiffs to provide guidance on this issues in the future.

While the litigation may have settled earlier than what spectators would have hoped, the memorandum submitted to the District Court has a significant amount of valuable information and is worth reading. For example, in a discussion about the class action plaintiffs’ investigation of the breach, the following items are identified:

• statements Target made on its website and in communications to its customers;
• examining iterations of Target’s privacy policy over a number of years preceding and during the period of the breach;
• analyzing testimony before and reports issued by Congressional committees
• reviewing news articles, including investigative reports, examining the causes of the data breach;
• valuating analysts’ reports; reviewing Target’s annual reports and submissions to federal agencies;
• conducting factual research into Target’s data security practices, including public information about past breaches of Target’s and other retailers’ systems;
• researching warnings and alerts issued by credit card issuers; studying industry standards governing data security; evaluating studies examining data security practices, breaches, risks and the impact of breaches; and
• communicating with knowledgeable consultants and experts on data security.

This list, drawing from resources existing both before and after Target’s data breach, provides further evidence of the importance preparing for a breach before it happens.