The 40 million-odd victims of the great Target data breach of 2013 may finally get some compensation for their troubles. Target has agreed to pay $10 million to establish a fund for victims of the data breach, according to a 97-page settlement reached in a class-action lawsuit. Those looking to collect will need to fill out a claim form that asks, among other things, whether they used a credit or debit card at a Target in the U.S. between Nov. 27, 2013, and Dec. 18, 2013, and whether they have reason to believe that their information was compromised as a result of doing so.
In addition to outlining monetary relief, the settlement also instructs Target to designate a chief information security officer (it already has), maintain a “written information security program” that it monitors and evaluates with metrics, establish a process for responding to security risks, and create a formal program to train Target employees on data security. “We are pleased to see the process moving forward and look forward to its resolution,” Target spokeswoman Molly Snyder told Reuters.
Victims of the breach will be eligible for up to $10,000 in compensation each. Losses covered by the claim form include unauthorized/unreimbursed charges, fees for hiring someone to correct a credit report, various late and declined payment fees, and similarly various costs for monitoring accounts or replacing important documents in the wake of the breach. For each type of loss, victims can also file for up to two hours of “lost time” (billable at $10 per hour). The key point seems to be that claimants must submit “reasonable documentation that the claimed losses were actually incurred and more likely than not arose from the Intrusion.” Hopefully, those 40 million people were keeping good records.