Target Corp. has reached an agreement with 47 states and the District of Columbia, resolving investigations on the infamous 2013 breach that exposed 41 million customer payment card accounts.
According to an announcement by the Attorney General Eric T. Schneiderman’s office on Tuesday, the agreement is the largest multi-state data breach settlement to date.
Target spokeswoman Jenna Reck said in a statement that the retailer had been working with state authorities for years to address claims regarding the data breach.
“We’re pleased to bring this issue to a resolution for everyone involved,” Reck told AP.
As part of the settlement, Target has agreed to bolster its digital security, including maintaining software and encryption programs to safeguard customers’ personal information.
The Minneapolis-based retailer will also be required to implement password rotation policies and two-factor authentication for certain accounts.
“… The settlement agreement requires Target to develop, implement, and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan,” the announcement read.
The payout comes in addition to more than $200 million in legal fees and other costs the company has incurred since the breach, as well as the nearly $70 million it agreed to reimburse financial institutions.
“Families should be able to shop without worrying that their financial information is going to get stolen, and Target failed to provide this security,” California Attorney General Xavier Becerra said in a statement.
“This should send a strong message to other companies: You are responsible for protecting your customers’ personal information,” added Becerra.