DENVER – Today Attorney General Cynthia H. Coffman announced that Colorado has joined with 46 other states and the District of Columbia in an $18.5 million settlement with the Target Corporation to resolve the states' investigation into the retail company's 2013 data breach. The settlement represents the largest multistate data breach settlement achieved to date.
The multistate investigation found that cyber attackers accessed Target's gateway server in November of 2013 through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target's system, allowing the attackers to access a customer service database and capture data, including consumer telephone numbers, email addresses and mailing addresses, payment card numbers, expiration dates and CVV1 codes; and encrypted debit PINs.
The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers. An estimated one million Colorado consumers were affected by the breach. Colorado will receive $278,914 from the settlement.
“Target’s inadequate security measures became obvious in this case, and nearly one-fifth of our population was impacted by the breach. However, because Colorado’s data breach and privacy laws are so weak compared to other states, we were unable to credibly take a leadership position in the litigation. It’s time Colorado’s data protection law sets a higher standard for companies and governments entrusted with consumers’ private information,” said Attorney General Coffman. “I will be convening a privacy working group this summer to research and recommend more effective legislation in the 2018 session. Colorado needs to move to the forefront in protecting consumers from theft of their personal information and the potentially devastating consequences.”
In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.
The settlement further requires Target to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.
In addition to Colorado, other states participating in this settlement include Alaska, Arizona, Arkansas, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.