Attached is a copy of the Assurance of Voluntary Compliance with Appendices A, B, C and D. third-party vendor has access to personal information, verify the vendor is securing the data. telephone, take steps to secure the obtaining as well as maintenance of the information, if any to limit the access to the information. If obtaining personal information on-line, fax, or by Please review the dealership s security policies for personal information as well as taking steps authentication for certain accounts. steps to control the access to its network. Steps include password rotation policies and two-factor In addition. Target must segment its cardholder data from the rest of its computer network and take security program. Target must also maintain and support software on its network and maintain encryption policies, particularly with respect to personal information data and cardholder information. in addition to the monetary settlement. Target must develop, implement, and maintain an information consumer data, such as names, telephone numbers, email, mailing addresses, card numbers, Target s customer service database and the installation of malware on the system to capture expiration dates, CVVI codes, and encrypted debit PINs. The stolen credentials were used to exploit the weaknesses in Target s system, allowing access to refrigeration and HVAC systems to Target. The investigation found that the initial intrusion into Target s systems occurred in November 2013. when cyber attackers accessed Target s gateway server through credentials stolen from a thirdparty vendor for Target. In this instance, the network credentials were stolen from a provider of customer contact information for more than 60 million Target customers. This data breach impacted over 41 million customer payment card accounts as well as exposing On May 15, 2017, forty-seven states, including Texas, and the District of Columbia, reached an $18.5 million settlement with Target Corporation resolving the retail company s 2013 data breach. MEMORANDUM Attached Assurance of Voluntary Compliance Multi-State Settlement on Data Breach Including Texas Karen Phillips May 23. 2017 To: Re: From: Date: TADA Members )TADA 4 Texas Automobile Dealers Association
CAUSE NO. D-1-GN-17-002263 IN THE MATTER OF IN THE DISTRICT COURT STATE OF TEXAS and TRAVIS COUNTY, TEXAS TARGET Respondent 200th JUDICIAL DISTRICT ASSURANCE OF VOLUNTARY COMPLIANCE This Assurance of Voluntary Compliance 1 is entered into by the Attorneys General of Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii 2, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia, as well as the District of Columbia (referred to collectively as the Attorneys General ) and Target Corporation to resolve the Attorneys General s investigation into the security incident announced by Target on December 19, 2013 (collectively, the Parties ). 3 1 This Assurance of Voluntary Compliance shall, for all necessary purposes, also be considered an Assurance of Discontinuance. 2 Hawaii is represented on this matter by its Office of Consumer Protection, an agency which is not part of the state Attorney General s Office, but which is statutorily authorized to undertake consumer protection functions, including legal representation of the State of Hawaii. For simplicity purposes, the entire group will be referred to as the Attorneys General or individually as Attorney General and the designations, as they pertain to Hawaii, refer to the Executive Director of the State of Hawaii s Office of Consumer Protection. 3 The State of California is simultaneously negotiating a settlement in a form consistent with the requirements of California law. That settlement would incorporate the substantive terms of this Assurance of Voluntary Compliance; to the extent there are differences, the differences will be related to and/or arise from the differences in In the Matter of State of Texas and Target Assurance of Voluntary Compliance Page 1