The amount Target Corp. will pay to settle claims from consumers damaged by a 2013 data breach is big relative to similar cases, but only a small percentage of the tens of millions of people whose information was exposed will likely receive a piece of it, legal experts said Thursday.
A federal judge in St. Paul on Thursday gave preliminary approval to the $10 million settlement reached by Target and plaintiffs’ attorneys in a class-action lawsuit.
The payout is a small sliver of the $252 million in expenses the Minneapolis-based retailer has said it expects to pay because of the data breach in which shoppers’ financial and personal information was hijacked during the 2013 holiday shopping season.
In most cases, banks reversed fraudulent charges and reissued new cards at no cost to the customer, so a relatively small number of people suffered losses that would make them eligible for a significant monetary reward. But even so, experts said the settlement is one of the largest ever for consumers as a result of a data breach.
“Target did not get off lightly,” Avivah Litan, a security analyst with research firm Gartner, said in an e-mail interview.
She added the settlement is a sign that retailers will now be held more accountable for late fees, blocked bank or credit accounts and the time consumers spend to undo those damages.
“Target really needs to be commended for being willing to step up,” U.S. District Judge Paul Magnuson said at the hearing Thursday morning in St. Paul.
Target is still facing a lawsuit brought by banks that suffered a big brunt of the costs related to the breach. Experts said Target could be on the hook for an even larger settlement in that case.
In the consumer case, Target also agreed to pay up to $6.75 million for the plaintiff’s attorneys’ fees. In addition, it will cover an estimated $6 million to $8 million in costs to administer the claims process, which includes a third-party operator sending out postcards to consumers, reviewing claims, and sending out checks, said Vincent Esades, the lead attorney for the plaintiffs.
Notices should start going out in late April, and consumers will have a window of a few months to submit claims, he said. If the judge gives final approval to the settlement at a court hearing in November, and there are no appeals, customers should begin receiving checks early next year, Esades said.
Target initially faced many lawsuits following the data breach in which hackers infiltrated Target’s point-of-sale systems. About 40 million consumers had their payment card information stolen. Another 70 million people had their personal information compromised.
The lawsuits brought by consumers were consolidated into one case. In the settlement, Target denied any wrongdoing, but said it has agreed to settle the claims “to reduce and avoid further expense, inconvenience, and the distraction of burdensome and protracted litigation and thereby to resolve any controversy.”
To qualify for a portion of the $10 million settlement, consumers have to show that they suffered some sort of unreimbursed loss as a result of the breach.
Consumers are eligible to receive up to $10,000. But they have to provide documented proof of higher interest rates or late fees, loss of access to funds, replacement of ID cards, or that they suffered other calculable damages as a result of the breach. They can also submit claims for up to two hours of time spent in dealing with breach at the rate of $10 an hour.
The rest of the settlement will be split equally among consumers who submit a claim without documentation to back up specific damages.
So in one scenario, if the court awarded $1 million to customers who submitted documented claims and another 300,000 submitted claims without documented damages, the latter would receive $30 from the settlement fund.
Legal experts said it’s unlikely many customers will be able to show a lot of documented proof of significant damages.
“The odds of anyone getting $10,000 is virtually zero,” said Eric Goldman, a law professor at Santa Clara University in California.
He added that the number of people who will likely make claims will be a tiny percentage, likely under 1 percent of the affected consumers. Many people don’t submit claims for such settlements because they don’t know about it or think they’re not eligible, he said. Another hurdle is the uncertainty of knowing if the pay off will be worth the effort to send the claim in.
Esades acknowledged that few, if any, customers will likely be eligible for the full $10,000. But he said they wanted to leave enough wiggle room in case there were some consumers out there who suffered major damages.
He added that consumers who had an e-mail or home address stolen will not get a monetary reimbursement unless they can prove damages, such as identity theft, that resulted from the hacking.
Similarly, customers who had payment cards stolen will have to report some damages, such as having to reset auto-pays or time spent getting fraudulent charges reversed, in order to get some money.
More information about the claims process will be posted soon to targetbreachsettlement.com.
The Associated Press contributed to this report.