Last week, a US District Court initially approved a $10M settlement in a class action suit against Target for the Christmas 2013 hack that compromised millions of credit cards and the personal privacy information of 60 million customers. The impact of this settlement will be felt far beyond the $10M in damages provided by the settlement. In fact, the dollar value of the settlement pales in comparison to the incident response costs and fines assessed by the credit card issuers and government regulatory organizations (FTC, state attorney generals, etc.). Target had also taken action to comply with some of the requirements of the class action months ago when they established a CISO position and filled it last June.
One of the provisions of the settlement is extremely unusual and possibly unprecedented: allowing for payment of damages without documentation. Most settlements like this require individuals to provide proof of their losses. In this case, damages of up to $10,000 will first be paid to individuals who provide proof but then, the rest of the settlement funds will be divided among consumers who claim they suffered a loss, even if they don't have documentation.
An attorney for Target customers, Vincent Esades, said after the hearing that the settlement could end up costing Target substantially more than the $10M direct cap on settlements to the claimants. The total cost including attorneys’ fees and administrative costs could likely reach $25M.