A federal district court judge granted preliminary approval of a $10 million settlement in an action brought by a class of Target patrons who allege injury resulting from a massive data breach in November and December of 2013. The number of lawsuits against corporations whose data management systems have been compromised has risen over the past few years. For example, the Target data breach was closely followed by data breaches against Home Depot and Community Health Systems, resulting in a flurry of lawsuits.
For Target, its agreement to settle may put this lawsuit in its rearview in coming months. On March 19, 2015, Judge Paul Magnuson of the United States District Court for the District of Minnesota granted plaintiffs’ motion to preliminarily approve Target’s settlement with consumers who allege that their personal information, including credit and debit card information, was unlawfully obtained by hackers. Specifically, the court found that the settlement was “fair, reasonable and adequate to warrant providing notice of the Settlement to the Class.” The settlement, if approved, would provide up to $10,000 in available recovery for each member of the class. Class members who look to recover that amount will be tasked with proving actual damage through, among other things, credit card statements demonstrating unauthorized charges and proof that they spent time investigating the fraudulent charges and incurred costs associated with replacing identification and correcting their credit reports due to increased interest rates and fees. After the plaintiffs who are able to overcome the difficult task of proving actual harm recover, the remaining settlement funds will be distributed among class members who are not able to document their loss and who have filed a “Self-Certification Claim.”
Target’s $10 million payment is not the only condition of its settlement. In addition to compensating the class, Target is also required to appoint a chief information security officer, keep a written data security program and offer security training to its workers. Target must also maintain a process to monitor for data security events and respond to such events deemed to present a threat. Many of these protocols are likely being put in place already as Target continues to try to bolster consumer confidence in its data security system.
The settlement is likely favorable to both Target and the class as class members are individually relieved from the difficult task of proving actual damages in order to recover and Target can put one of multiple class actions to rest. Following the March 19 order, class members have until July 31, 2015, to submit objections or to request to be removed from the class. Final approval of the settlement is set for hearing on November 10, 2015.
— Haley Fowler Gregory
