On Thursday, just three months after a district court judge in Minnesota denied Target’s motion to dismiss the consumer class action following the retailer’s massive 2013 data breach, the court granted preliminary approval of a $10 million settlement agreement requested jointly by Target and the consumer plaintiffs. Settlement funds will be distributed in a claims-made process run by a settlement administrator, with a cap of $10,000 per victim. Unclaimed funds will not revert back to Target, but instead will be split among all breach victims who submit claims. Class plaintiffs have also requested a whopping $6.75 million in attorney’s fees. The district court will have to approve plaintiffs’ fee request, which is disproportionately large at 67.5 percent compared to typical settlements, which hover around 33 percent.
The settlement also requires certain governance and internal control changes, some of which harken back to Federal Trade Commission-mandated consent decrees. The settlement requires Target to increase security protocols through a variety of initiatives, including appointing a chief information security officer to oversee the company’s global information security program. The company must maintain a program that identifies internal and external security risks to shoppers’ personal information, have a written information security program and provide security training to its employees. These security measures are not as conciliatory as they sound, however. Most of these requirements were likely already in place following the breach.
Before consumers start planning their next shopping spree with their settlement funds, they should be warned: it will not be as easy as it may seem to get a payout. Under the terms of the proposed settlement, the burden of proof lies with the plaintiff. Thus, claims would be based on whether plaintiffs can show they have suffered at least one of the following:
- unauthorized, unreimbursed credit card charges
- time spent dealing with unauthorized charges
- costs to hire someone to help correct credit reports
- higher interest rates
- loss of access to funds
- fees paid on accounts or
- credit-related costs, such as credit monitoring or purchasing credit reports.
The bulk of provable damages would fall under the first category. However, many cardholders have been reimbursed by their card issuers for the fraudulent charges and therefore will be unable to recover twice. These card issuers have filed their own, separate class action lawsuit against Target, and the company’s motion to dismiss that suit was also denied. Many speculate that the potential strength of the claims by the financial institutions in that suit, who bore the bulk of the damages from reimbursing their cardholders for the fraudulent charges, was a driving force in Target’s settlement of the consumer claims. Target’s swift settlement was also likely fueled by obtaining a relatively low settlement amount. The cost of a large data breach settlement not involving medical records is typically around $1 per class member. Target’s $10 million payout to an estimated 110 million class members is well below that. In addition, an early settlement cuts Target’s hemorrhaging ongoing litigation and data breach response costs; this settlement amount does not hold a candle to the $252 million that the company has spent thus far in responding to the breach.
Class members have until July 31 to opt out of the class, and the final settlement approval hearing is set for November 5, 2015. It remains to be seen whether Target will, or can, settle its other suit with the financial institutions.