Key takeaways

• A settlement in the multi-district litigation between Target Corporation and up to 110 million consumers whose personal information was compromised by a late 2013 data breach was preliminarily approved on March 19 by the District of Minnesota. The proposed settlement resolves one of the largest consumer class-actions stemming from a data security breach and provides a roadmap for what future settlements may look like.
• Under the proposed settlement, Target will pay $10 million to class members. Administrative and other costs might drive the final figure closer to $25 million.
• A unique aspect of the settlement is that it requires Target to adopt a series of non-monetary measures to better safeguard consumer data, including the appointment of a Chief Information Security Officer, maintenance of a written information security program, processes to monitor and respond to breaches and security training for employees. Such steps provide a roadmap for practices companies can adopt now to help mitigate cybersecurity risk.
• The settlement does not resolve claims brought by financial institutions against Target. Nor does it resolve ongoing government investigations into Target’s data breach.