Agreement With 47 States And D.C. Represents Largest Multistate Data Breach Settlement To Date
Settlement Requires Target To Improve Data Security, In Addition To Paying Monetary Penalty And Providing Previously Negotiated Credit Monitoring For Impacted Consumers
New York To Receive Over 635K
New York Attorney General Eric T. Schneiderman today announced that 47 states and the District of Columbia have reached a $18.5 million settlement with the Target Corporation to resolve the states' investigation into the retail company's 2013 data breach, which affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. The agreement represents the largest multistate data breach settlement achieved to date and will bring $635,224.33 to New York State.
"New Yorkers need to know that when they shop, their data will be protected,” said Attorney General Schneiderman. “This settlement marks an important win for New Yorkers – bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward."
The states' investigation—led by the Attorneys General of Connecticut and Illinois—found that in November of 2013, cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target's system, which allowed the attackers to access a customer service database and to install malware on the system that was used to capture consumer data, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs.
In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement, and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.
The settlement further requires Target to maintain and support software on its network and to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data. The agreement also requires the corporation to segment its cardholder data from the rest of its computer network and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.
In December 2013, following a recommendation from the New York Attorney General’s Office, Target agreed to provide free credit monitoring to potential victims of the data breach in New York.
States participating in the settlement include: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, New York, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.