23 March 2015

Data Breach Compensation

US retailer Target is reported to agreed to establish a US$10m fund for victims of the 2013 data breach, which exposed details of around 40 million customers.

Victims will need to fill out a claim form covering whether they used a credit or debit card at a Target store in the U.S. between 27 November and 18 December 2013 and whether they have reason to believe that their information was compromised as a result of doing so.

The fund gives effect to a settlement in a class-action lawsuit.

The settlement requires Target to -
  • maintain a “written information security program” that it monitors and evaluates with metrics, 
  • establish a process for responding to security risks, and 
  • create a formal program to train Target employees on data security. 
Losses covered by the claim form include -
  • unauthorized/unreimbursed charges, 
  • fees for hiring someone to correct a credit report, 
  • late and declined payment fees, 
  • costs for monitoring accounts or replacing important documents post-breach,
  • up to two hours of “lost time” (billable at $10 per hour). 
In practice the requirement for “reasonable documentation that the claimed losses were actually incurred and more likely than not arose from the Intrusion" will limit the pool of claimants.

The New York Times states
The retailer estimated recently that it had already accrued $252 million in expenses related to the data breach as of the end of January, a figure it said would be partly offset by an expected $90 million in insurance payouts. That estimate was based on the prospect of settling many lawsuits, Target said. 
Target faces further claims from three of the four major credit card companies, and is likely to face action from the fourth, it said in an annual filing on March 13. State and federal agencies, including the state attorneys general, the Federal Trade Commission and the Securities and Exchange Commission, are also investigating the breach, and may seek to impose fines and other penalties, according to Target.