On May 23, 2017, various Attorneys General of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date.

Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan led the investigation, which found that hackers used credentials stolen from a third-party vendor to access Target’s gateway server and install malware that enabled them to capture consumer data, including names, contact information and payment card information of over 40 million customers. In addition to the monetary settlement, Target will adopt measures to secure and protect consumer information. For example, Target has 180 days to develop and implement a comprehensive information security program to be overseen by an executive reporting to its CEO and Board of Directors. The settlement also requires Target to obtain a third-party assessment of the measures it adopts and submit the assessor’s findings to the states.

Attorney General Madigan described the measures as setting “industry standards for companies that process payment cards and maintain secure information about their customers.” Attorney General Jepsen not only commended Target for its actions in response to the breach, including its cooperation with the states’ investigation and settlement negotiations, but also hoped the settlement would “serve to inform other companies as to what is expected of them in terms of the security of their consumers’ information.”