Target's Data Breach Costs Reach $148 Million

Target's Data Breach Costs Reach $148 Million Target's Data Breach Costs Reach $148 Million
In a Press Release issued on August 5, 2014, Target Corporation announced that its costs to address the December 2013 data breach have reached approximately $148 million. This number is "partially offset by a $38 million insurance receivable,"[1] of the $100 million network security insurance coverage available.[2]

The Company further noted that, "[e]xpenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks." In its 10-Q report from May 29, 2014, Target advised that it expects these claims to "include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred."[3] Interestingly, Target specifically noted that, "[w]hile an independent third-party assessor found the portion of [its] network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, the forensic investigator working on behalf of the payment card networks claimed that [Target was] not in compliance with those standards at the time of the Data Breach."[4]

As of May 29, Target also had more than 100 actions filed against the Company "on behalf of guests, payment card issuing banks, shareholders or others seeking damages or other related relief, allegedly arising out of the Data Breach."[5] Additionally, Target reported that "State and federal agencies, including the State Attorneys General, the Federal Trade Commission and the SEC are investigating events related to the Data Breach, including how it occurred, its consequences and [Target's] responses."[6]

On July 24, 2014, U.S. District Judge Paul Magnuson, U.S. District Court, District of Minnesota, rejected Target's motion to stay discovery in a multidistrict litigation over the data breach. Target requested the stay pending the court's decision on a motion to dismiss that Target intends to file, noting that, "any motions to dismiss will be fully briefed by the end of October in the bank cases and the end of November in the consumer cases."
[7]  Judge Magnuson ruled that, "[g]iven the Court's practice of issuing rulings on dispositive motions within one month of the hearing date, if not sooner, discovery will have proceeded for only a few months by the time the Court rules on Defendants' motions. Ninety days' worth of discovery does not impose such a burdensome expense to warrant disturbing the case's schedule."[8] Discovery is scheduled to begin in September 2014.

A few comments.... Data breach remediation is clearly expensive. The Target incident is also a good reflection of what we continue to see in the market for both payment card and protected health information related data breaches - numerous class actions combined with federal and state government investigations. Additionally, as noted by Target in its 10-Q report, a third-party vendor found Target in compliance "with applicable data security standards" (presumably PCI-DSS) in fall 2013, but "the forensic investigator working on behalf of the payment card networks claimed that [Target was] not in compliance with those standards at the time of the Data Breach." Organizations storing personally identifiable information, whether it be credit card data or medical records, must carefully assess their risk on a continuous basis.


[1] SEC, Form 8-K, Target Corporation, Aug. 5, 2014, available at

[2] SEC, Form 10-Q, Target Corporation, May 29, 2014, p. 9, available at

[3] Id. at 8.

[4] Id. at 8.

[5] Id. at 9.

[6] Id. at 9.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522, Order, July 24, 2014 (Court Order denying Defendants’ Motion to Stay Discovery (Docket No. 125)), available at

[8] Id.


Posted by Tatiana Melnik on August 6, 2014

April 2021

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)