Data Protection Report - Norton Rose Fulbright

On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident.  Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial measures that are of most interest to those following data breach enforcement actions.

Background

In the 2013 security incident, hackers gained access to the credit and debit card information of up to 110 million Target customers.  The incident resulted in over 100 private lawsuits across the country that were consolidated in federal court and divided into three groups.  The group of consolidated cases brought by financial institutions (such as the banks that issued the credit and debit cards that were compromised) has settled and the court has approved that settlement without objection.  The shareholder derivative suit was dismissed without opposition after Target’s special litigation committee’s report concluded it was not in the company’s best interests to pursue the claims.  And as we recently reported, the group of consolidated consumer class action settled, but the settlement was vacated on appeal and is currently being reevaluated in federal district court.

Meanwhile, the Attorneys General of 47 states and the District of Columbia undertook investigations of the incident in light of state consumer protection and data breach laws.  The global settlement of those investigations, dated May 15, 2017, has now been publicly announced.

The Settlement

Under the settlement, Target agreed to the following:

  • Complying with state consumer protection statutes and state statutes concerning personal information security and breach notification;[2]
  • Not misrepresenting the extent to which it secures personal information;
  • Developing and implementing a comprehensive information security program within 180 days, which should include:
    • Appropriate handling and investigation of security events;
    • Maintaining and supporting software on its networks with an eye to how it will affect data security;
    • Maintaining protocols for encrypting personal information in transit across public networks and at rest on portable devices and certain desktops;
    • Complying with PCI DSS with respect to payment card systems;
    • Segmenting its payment card systems from the rest of its network and assessing its vulnerabilities;
    • Managing access to individual accounts through strong passwords and password-rotation policies;
    • Restricting or disabling unnecessary access to payment card systems;
    • Reasonably integrating two-factor authentication for individual account access;
    • Implementing appropriate controls to notify personnel of unauthorized modifications to critical applications or files;
    • Implementing appropriate controls to detect and prevent the execution of unauthorized applications within its point-of-sale terminals and servers;
    • Reasonably managing, monitoring and logging access to payment card systems;
    • Implementing change control policies and procedures for network systems;
    • Maintaining appropriate separation between development and production environments;
    • Implementing appropriate payment card security technology, such as chip and PIN technology; and
    • Taking reasonable efforts to devalue credit card information by encrypting it throughout the course of an on-site retail transaction.
  • Employing an appropriate executive or officer to be responsible for implementing and maintaining the information security program and reporting to the CEO and Board of Directors on information security matters;
  • Developing and implementing a program for auditing vendors’ compliance with its information security program;
  • Within one year, obtaining an information security assessment and report from a certified and experienced third-party professional and provide it to the Connecticut Attorney General’s Office; and
  • Pay $18,500,000 to the Attorneys General per instructions from the Illinois Attorney General and Connecticut Attorney General.

In exchange, Target receives releases of claims from the Attorneys General.

Our take

The Target Attorney General settlement is a useful guide to the types of remedial measures being accepted by regulators to settle investigations arising from major data security events.  Consistent with settlements reached by the FTC and other federal agencies, the settlement is focused upon the elements of an acceptable information security program.  The Target settlement is most notable for its detail, and may serve as a guide for future settlements of this magnitude.

In addition, the $18.5 price tag for the settlement payment (in addition to payments that may need to be made under the class-action settlement currently in limbo) is another reminder of the costs that can flow from a major data incident.

[1] Hawaii is represented by its Office of Consumer Protection because it has the statutory authority to pursue such claims, rather than the state’s Attorney General.

[2] New Mexico and South Dakota did not have data breach statutes in effect at the time of the agreement, so Target agreed to notify affected individuals in those states, and those states’ Attorney General’s offices, in the event of a “future breach of security involving the unauthorized access to or acquisition of Personal Information  . . .”  New Mexico’s data breach notification act comes into effect on June 16, 2017.