On May 23, state attorneys general from 47 states and the District of Columbia announced a settlement agreement with Target Corporation to resolve the states’ investigation into the company’s 2013 data breach. Under the terms of the Assurance of Voluntary Compliance (“AVC”), Target will pay $18.5 million to the states – the largest multistate data breach deal ever reached, according to a press release from Illinois Attorney General Lisa Madigan.
The AVC did not provide factual allegations regarding the breach. However, press releases from various state attorneys general asserted that Target’s 2013 data breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers. The press releases further alleged that cyber attackers had accessed Target’s gateway server through credentials stolen from a third-party HVAC vendor. The stolen credentials were then used to exploit weaknesses in Target’s system, allowing the attackers to access a customer service database, install malware on the system, and capture customer data. The stolen data included customers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, credit card verification (CVV1) codes, and encrypted debit PINs, according to the attorneys general press releases.
Under the terms of the agreement, Target will pay $18.5 million to the state attorneys general. In addition, Target will be required to adopt the cybersecurity standards that include the following:
- Develop, implement, and maintain a comprehensive information security program;
- Employ an executive or officer who is responsible for executing the plan;
- Hire an independent qualified third party to conduct a comprehensive security assessment:
- Maintain and support software on its network for data security purposes;
- Maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
- Segment its cardholder data environment from the rest of its computer network; and
- Undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication.
As we previously reported here, state attorneys general have been active in investigating data breaches and in promoting effective cyber security standards. This settlement is noteworthy since the amount appears to be twice as much as the next largest state A.G. data breach settlement. In 2009, T.J. Maxx entered into a settlement agreement with 41 state attorneys general for $9.75 million over an alleged breach involving more than 94 million credit and debit cards. More recently, in 2015, online retailer Zappos reached a settlement with nine state attorneys general over a 2012 data breach that compromised personal and financial information of nearly 24 million of the company’s customers. Under the settlement, Zappos agreed to pay more than $100,000 to the states and to implement enhanced privacy policies and security standards. The recent settlement with Target demonstrates the states’ continued interest in investigating data breaches.
Madigan and Connecticut Attorney General George Jepsen, long considered leaders in the cybersecurity and privacy space, led the investigation. Other states that signed the agreement were Alaska, Arizona, Arkansas, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and West Virginia, and the District of Columbia. California, long considered a leader in the cybersecurity and privacy space, is negotiating an independent settlement that incorporates the substantive terms of the AVC, and the $18.5 million dollar payment includes payment to California.