Vermont Business Magazine Attorney General Thomas J Donovan, Jr has announced that Vermont has joined with 46 other states and the District of Columbia in an $18.5 million settlement with the Target Corporation to resolve the states' investigation into the retail company's 2013 data breach. The settlement represents the largest multistate data breach settlement achieved to date. Vermont will receive $170,000 from the settlement. Although there is no Target in the state of Vermont, the breach is estimated to have affected approximately 120,000 Vermonters.
The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.
The states' investigation, led by Connecticut and Illinois, found that on or about November 12, 2013, cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. The credentials were used to exploit weaknesses in Target's system, which allowed the attackers to access a customer service database. The cyber attackers capture consumer information including full names, telephone numbers, email and postal addresses, payment card numbers, expiration dates and CVV1 codes, and encrypted debit PINs.
“Data security continues to be a serious issue affecting consumers, and I am proud that Vermont is part of this settlement,” said Attorney General Donovan. “This settlement represents yet another example of the benefits of the states working together.”
In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program. This includes employing a corporate officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.
The settlement further requires Target to maintain and support software on its network; to maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.
In addition to Vermont, other states participating in this settlement include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington and West Virginia, and the District of Columbia.
Vermont AG: May 23, 2017 www.ago.vermont.gov.