With $10M Settlement, Target Looks to Shrug off Breach Costs
Target is well on its way to shrugging off the largest data breach in history, as the company agrees to pay $10M into an escrow account for victims.
Target Stores said on Thursday that it has agreed to pay a proposed $10 million settlement in a class action lawsuit filed on behalf of customers affected by the massive 2013 data breach at the Minnesota-based box store chain.
As reported by Reuters, Target will set aside $10 million into an escrow account to be distributed to qualified victims of the hack of its network, which resulted in the theft data for some 40 million credit cards. Customers affected by the breach will be entitled to up to $10,000 individually.
The proposed settlement will also require Target to “adopt and implement data security measures such as appointing a chief information security officer and maintaining a written information security program,” according to Reuters.
"We are pleased to see the process moving forward and look forward to its resolution," said Target spokeswoman Molly Snyder.
The settlement is good news for the millions of consumers who may have had personal information stolen in the breach. That information was later fenced on underground cybercriminal websites with links to Russian and Eastern European criminal groups.
But the amount in question – $10 million – also underscores the fact that companies that hold on to, but then lose hold of sensitive data rarely pay a high price for doing so. The amount of the settlement is just 0.5% of Target’s net profit for 2014, and an even tinier fraction of the company’s $51 billion market capitalization. Looked at another way: Target is putting $0.25 down for every credit card number leaked in the incident.
Of course, the company still must settle suits filed by a number of banks and shareholders who are also seeking damages related to the breach. As this article notes, a judge in December rejected a motion by Target to have the bank lawsuits dismissed, saying the company bore individual responsibility for the breach – a change from established precedent, which held retailers, banks and credit card companies equally liable for losses related to data breaches.
It is worth noting that Target suffered short-term damage from the breach: a decline of 2.5% in sales during the all-important holiday shopping season in 2013. At least some of that is attributable to bad press over the data breach, analysts say. The company’s CEO, Gregg Steinhafel, also resigned in May 2014 – a move prompted in part by the damaging breach.
But take a step back and Target looks to be following in the steps of other large retail firms that have also lost track of data on millions of consumers. Namely: a dip in fortunes followed by a strong return to growth. Part of the reason is that – despite the bad press – companies today face few serious penalties even for major lapses in security. Much of the cost borne by the firms comes in the form of consulting costs linked to cleanup and investigation, as well as new technology investments designed to fix whatever ailed the firm.
Costs related to fines or making consumers whole are negligible. An example, companies routinely offer to pay for credit monitoring services for anyone affected by a breach. However, that turns out to be a good a very good deal for the affected firm. Fewer than 10% of eligible customers take advantage of such offers. And, for very large breaches, the number of customers that take companies like Target up on their offers could be in the low single digit percentages. In the meantime, the firm gets points for being responsive to customer needs.
The markets are quick to forget past misdeeds and focus on the quarters ahead, rather than those behind. Target is a good example of this: the company’s stock is selling at an all time high of $80 per share, after falling as low as $55 per share in the immediate aftermath of the breach.
While that’s good for the economy and for the employees of those firms, it also sends an uncertain message to other firms about the real downside to lax data security practices. If even massive data breaches like the one that Target experienced are perceived as mere pimples on a company’s financials, rather than deep (or even mortal) wounds, what impetus do they have to evaluate their collection and use of such data, or to invest in technologies and processes to keep their networks and data safe?
Paul Roberts is the Editor in Chief of The Security Ledger.