Davis Polk Discusses Target’s Cyber Breach Settlement

On May 23, Target Corp. reached a record $18.5 million settlement with 47 states and the District of Columbia to end investigations into Target’s data breach in 2013.  The settlement highlights the growing list of specific measures that companies are expected to have in place to mitigate the risk of cyber breaches.

In 2015, Target reached a class action settlement with consumers that required the company to implement certain measures to protect customer information. In re Target Corporation Customer Data Security Breach Litigation No. 14-2522 (D. Minn. Mar. 18, 2015).  Comparing the measures that were required in the 2015 settlement with those in the 2017 settlement highlights the dramatic increase in expectations for cybersecurity over the last two years.  Indeed, the requirements set forth in the recent Target settlement closely track the cybersecurity measures that were recently imposed by the New York Department of Financial Services (“DFS”) through Rule 23 NYCRR 500, which New York Governor Cuomo described as “strong, first-in-the-nation protections,” and which the DFS characterized as “landmark regulation.”[1]

This chart lists some of the specific cybersecurity measures required in the 2017 settlement:

The significant overlap between the terms of the recent Target settlement, which included 47 Attorneys General, and measures required by the new DFS cybersecurity regulations illustrates the specific measures that appear to be emerging as industry best practices in cybersecurity.


[1] Press Release, New York Department of Financial Services, Governor Cuomo Announces First-in-the-Nation Cybersecurity Regulation Protecting Consumers and Financial Institutions from Cyber-Attacks to Take Effect March 1 (Feb. 26, 2017), http://www.dfs.ny.gov/about/press/pr1702161.htm.

[2] Pursuant to Rule 23 NYCRR 500, entities that are subject to the DFS cybersecurity regulations have grace periods before they are required to comply with the requirements, which take effect in stages ranging from August 2017 to March 2019.  Certifications of compliance with those regulations are required in February of the year following the year in which the particular requirement became effective.

This post comes to us from Davis Polk & Wardwell LLP. It is based on the firm’s client memorandum, “Target Corp. Cyber Breach Settlement Reflects Emerging Best Practices for Cybersecurity,” dated May 30, 2017, and available here.