Target Won’t Face SEC Charges Over Breach

Nearly two years after a massive data breach at Target left millions of consumers’ personal information at risk, the company announced it won’t face enforcement action from at least one government agency.

The Securities and Exchange Commission – just one government entity to investigate Target’s breach – won’t penalize the retailer, according to the company’s quarterly filing [PDF].

“The SEC’s Enforcement Division concluded its investigation during the second quarter of 2015 and does not intend to recommend an enforcement action against us,” the company says in the filing.

While the closure of the SEC investigation relieves one possible liability for the retailer, other agencies, including the Federal Trade Commission and various State Attorneys General, continue to investigate the data breach.

“Given the varying stages of claims and related proceedings, and the inherent uncertainty surrounding them, our estimates involve significant judgment and are based on currently available information, historical precedents and an assessment of the validity of certain claims,” the company states. “We are not able to estimate the amount of such reasonably possible excess loss exposure at this time because many of the matters are in the early stages, alleged damages have not been specified, and there are significant factual and legal issues to be resolved.”

Target goes on to detail its costs so far related to the data breach, noting it has incurred $264 million in cumulative expenses. That figure is partially offset by expected insurance recoveries of $90 million, for a net cumulative expenses of $174 million.

The company’s announcement Wednesday comes just a week after it reached a deal with Visa to give about $67 million back to consumers affected by the breach.

While the figure was attributed to “people familiar with the situation,” the company confirmed the payment amount in the new SEC filing.

“In August 2015, we entered into a settlement agreement with Visa under which we will pay up to $67 million to eligible Visa card issuers worldwide that issued cards that Visa claimed to have been affected by the data breach,” the filing reveals.

In the wake of the massive hack, which went on for weeks before being detected in late 2013, card issuers say they spent hundreds of millions of dollars issuing replacement cards and dealing with fraudulent charges tied to the breach.

Target says it will continue to dispute claims filed by the three other major payment networks.

“We expect to dispute the remaining unsettled claims regarding the data breach that have been or may be made against us by the payment card networks,” the company says. “With respect to the three major payment card networks other than Visa, we think it is probable that our disputes would lead to settlement negotiations.”

The company previously settled a class-action case from consumers in March by agreeing to pay $10 million. The settlement was believed to potentially pay individual victims up to $10,000 in damages.

[via The Star Tribune]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.