Target to pay $18.5M settlement for 2013 data breach

Dive Brief:

Target has agreed to pay a bulk settlement of $18.5 million to be distributed among 47 state governments and Washington, D.C., as it moves a step closer to settling all claims related to its huge 2013 holiday season data breach, Reuters reported.
California will receive more than $1.4 million from the settlement, the largest share of any state. The multi-state investigation into the incident was led by the Attorneys General of Connecticut and Illinois.
A spokeswoman for the retailer also told Reuters that Target has reached an agreement on a settlement for the remaining consumer class action lawsuit related to the breach, but the company is still awaiting final court approval on that proposed settlement.

Dive Insight:

About three and a half years after the security breach occurred, Target is still trying to put the incident behind it. And the price it is paying to do so doesn't come only in the form of court settlements. Three years ago, Target estimated the cost of the security breach to its bottom line at $150 million, though the Reuters reports the real cost was likely more than $200 million.

The incident won't be truly put in the past until the company can resolve the consumer class action settlement, which involves more than 200,000 consumers who claimed they were financially harmed by the data breach. That still could take some doing, as several media reports say an agreed-upon $10 million consumer settlement is being held up by a single plaintiff whose legal team believes consumer should be getting a bigger payout. Those reports suggest it could be months before that settlement is finalized.

Just as the legal wrangling carries on, so do security attacks affecting retailers. At the time of the Target data breach, in which 40 million cards were compromised, it was seen as a wake-up call — not just for retail — but for many other industries facing increasing security threats. It was supposed to serve as inspiration for companies to finally take data security threats seriously and invest heavily to prevent similar incidents.

To some degree, that did happen; the incident directly influenced the payment industry's migration to EMV chip-based cards and terminals. However, security breaches and attacks only seem to have become more frequent and creative in the years since, considering the cyberattacks in 2016 that plagued Eddie Bauer and Vera Bradley. Breaches are affecting physical stores and increasingly e-commerce sites.

In this environment, responsiveness and responsibility have become increasingly important. Target was widely criticized as initially being slow to respond to the December 2013 data breach and failing to communicate adequately about the scale of the breach. Other retailers were supposed to learn from Target's experience, but as new breaches and similar security incidents continue to occur, the retailers affected for the most part continue to be stingy with the details, something most recently demonstrated following reports that Brooks Brothers suffered a security breach that lasted almost a year.

What retailers need to realize is that security breaches are much more than PR crises to be managed. Retailers need to be forthcoming, re-assuring, responsive and responsible. All across their operations, retailers are making various investments with the aim of providing better customer experiences, but those efforts will go for naught if customers don't feel like retailers are willing to be honest with them — warts and all.