Header graphic for print
Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Target Data Breach Price Tag: $252 Million and Counting

Posted in Class Action Litigation, Cybersecurity, Data Breach, Data Breach Notification, Privacy Litigation

In a recently-released Form 8-K filing announcing fourth quarter and year-end financial results, Target Corporation reported that expenses incurred in 2014 relating to its 2013 data breach totaled over $191 million.  Those expenses were offset by $46 million in insurance proceeds, resulting in a $145 million charge against Target’s 2014 operating results.  The expenses incurred in 2014 were in addition to $61 million in breach-related expenses incurred in 2013 which, after receipt of $44 million in insurance proceeds, yielded $17 million in net breach-related expenses for Target in 2013.  In all, Target has incurred $252 million in costs arising from the data breach through the end of 2014 which, after receipt of $90 million in insurance proceeds, has resulted in total net expenses to Target in 2013 and 2014 of about $162 million.

 

Those expense figures will continue to mount over the course of 2015 as Target continues to deal with ongoing litigation and regulatory fallout from the 2013 data breach.  The enormous costs that Target has already incurred should serve as a stark warning of the financial consequences of a data breach.  While we have repeatedly observed in this space that private litigants have had scant success proving or recovering damages in data breach cases, civil money damages are but one potential cost that may arise from a data breach.  Other costs include investigating the breach, repairing compromised systems, compliance with breach notification requirements, providing credit monitoring services for affected customers, and legal fees associated with responding to lawsuits and regulatory actions arising from the breach.  Not quantified as expenses, but also harmful to financial returns are potential reputational harm to the business and resulting lost sales that could dampen the company’s top line.  Even if courts continue to reject private civil money damages claims, businesses should consider data security to be a significant risk factor with potential to result in a materially adverse impact to the financial performance of the corporation.