Should We Praise Target for Settling Data Breach Lawsuit?

March 19, 2015 Updated: October 5, 2018

Target will pay $10 million in a lawsuit settlement to customers hurt by the company’s massive 2013 data breach, U.S. District Judge Paul Magnuson confirmed on Thursday.

“Target really needs to be commended for being willing to step up,” the judge said.

But the settlement came only after Target tried and almost succeeded at stopping the lawsuit.

For three weeks during the December 2013 holiday shopping season, hackers stole data of about 110 million Target customers, including information from 40 million payment cards.

Over 100 people sued Target for fraudulent charges on the leaked cards and also for losing access to their accounts and being forced to pay late fees, card-replacement fees, and credit monitoring costs.

The plaintiffs accused the company of negligence, breach of contract, and several other transgressions.

But Target moved to dismiss the suit and in December the judge indeed dismissed most of the allegations.

Just one point survived the defense lawyers’ scrutiny: The customers argued that Target knew or should have known about the breach and that they would not have continued to shop there if the company had told them. The judge acknowledged that this, if proven, can be considered “unjust enrichment,” as the company got business that it “in equity and good conscience” should not have received.

To be sure, at that time Target was already in talks with the plaintiffs about a settlement, according to Wendy Wildung, partner at Faegre Baker Daniels law firm representing Target in the lawsuit, as quoted in a court document.

But still, it was a close call for the customers to even keep the lawsuit alive.

Indeed, Target may have had a fair confidence to believe the customers would fail.

“In consumer cases that have been brought across the country, the vast majority of them have been dismissed,” Wildung stated in court last August.

Hard to Sue

It is not so easy to sue a company for a data breach. In many cases the customers are not tangibly hurt. If somebody misuses a stolen credit card, the card company usually covers the costs.

Just the fact of living in constant anxiety that one’s data are out there for potential abuse would probably not be enough to sue.

For example, last May some 145 million eBay accounts were compromised by hackers. The company said no financial information was leaked.

Just the fact of living in constant anxiety that one’s data are out there for potential abuse would probably not be enough to sue.

A class action lawsuit was filed on behalf of Collin Green and all customers of eBay, but it faces a tough future. In September, eBay moved to dismiss the lawsuit arguing the plaintiff has not been actually harmed by having his data stolen.

And the court is likely to side with eBay.

“Unlike fraudulent use of credit card numbers, fraudulent use of the even more sensitive personal data leaked by eBay, is almost impossible to attribute to them. What is even more ironic is that the kind of fear generated by the breach is not the kind of damage that is covered by tort law,” stated William Hugh Murray, executive consultant for TruSecure Corporation and a Senior Lecturer at the Naval Postgraduate School, in a comment on “[W]hile I believe that eBay should be held accountable for it, I doubt that this kind of suit will be successful.”

Money from Target

Target was in a different position. After the breach, the company was criticized for having lax data security and struggled to rebuild customer confidence.

Over the 2014 holiday season, Target offered free shipping on all items. It recently announced that it was cutting its minimum online purchase to qualify for free shipping in half to $25. And on Wednesday the retailer said it will now allow returns for up to a year for its private and exclusive brands.

Vincent Esades, an attorney for Target customers, said after the hearing that the settlement could end up costing Target $25 million, when attorneys’ fees and administrative costs are added in.

But to get money from the settlement, customers will have to prove their losses. For example unauthorized charges, higher fees or interest rates, and lost time dealing with the problem.

The maximum compensation can reach $10,000 per person, but a customer will likely see much less.

“I would say probably $50-$100 is probably what you’re going to get,” estimated Brian Yarbrough, consumer research analyst with Edward Jones, according to USA Today.

Still, Target is offering real money. When Sony PlayStation got hacked in 2011 and leaked personal data of 77 million customers, the company later settled a class action lawsuit with free computer games, game and music subscriptions, and Sony’s online currency used to buy game perks.

Follow Petr on Twitter: @petrsvab