On March 19, 2015, the United States District Court in the
District of Minnesota gave preliminary approval to a proposed
settlement for the December 2013 data breach suffered by Target
Corporation.1 Target proposes to settle the consolidated
consumer class actions by paying US$10 million, amounting to a
maximum of $10,000 for each affected individual, and by agreeing to
bolster its protection of customer data. The settlement agreement
has received preliminary approval with a final hearing set for
It was first disclosed on December 19, 2013 that hackers had
broken into Target's computer network through the heating,
ventilation, and air conditioning control and monitoring systems,
resulting in the theft of credit and debit card information for
over 40 million customers and other personal information of 70 to
110 million customers.2 Dozens of proposed class action
lawsuits were subsequently filed in the United States and were
eventually consolidated into three groups: consumers, financial
institutions, and shareholders. The recent settlement is limited to
the consolidated consumer class action.
Proof of damages to access settlement payments
While affected customers are eligible for up to $10,000 in
damages, claimants must provide documentary evidence of losses
actually incurred which were more likely than not caused by the
data breach. Evidence may include credit card statements, invoices
and receipts, but not personal declarations or affidavits from the
claimant. If adequate evidence is provided, claimants will also be
entitled to receive limited reimbursement for time spent dealing
with each loss. Once claims supported by documentary evidence have
been paid out, and class representatives have been compensated, the
claims without supporting documentation will share equally in what
remains of the $10 million settlement.
Additional measures to protect customer data
The settlement agreement also includes a non-monetary component
requiring that Target:
appoint a Chief Information Security Officer,
a high-level executive responsible for the company's
information security program and the protection of customer
maintain a written information security
program, which would identify potential risks to customer
personal information and involve periodic reviews by senior
leadership of the safeguards in place to control such risks;
maintain procedures for monitoring and responding to
information security events, which would include software
security testing and breach response policies; and
provide training to employees on the
importance of and methods for securing customer personal
In reviewing data security policies and practices, businesses
and institutions should consider implementing the above measures to
ensure that confidential and personal information is well protected
in light of the growing threat of hacking and the potential
vulnerability of computer networks.
Canadian litigation remains pending
As a result of this same data breach, a proposed class action
against Target in Canada was filed at the Québec Superior
Court in March 2014.3 According to the Québec
claim, the data breach affected approximately 700,000 Canadian
1 In re: Target Corporation Customer Data Security
Breach Litigation, 2015 U.S. Dist. LEXIS 34554 (D. Minn.
2 The compromised information included names, phone
numbers, mailing addresses, email addresses, credit and debit card
numbers, encrypted PIN numbers, expiration dates and magnetic
3 Zuckerman v. Target Corporation, Québec
Superior Court (Court File No. 500-06-000686-143, 2014).
The content of this article is intended to provide a
general guide to the subject matter. Specialist advice should be
sought about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).