Believe it or not, Target still isn't done paying the price for the 2013 breach that exposed the shopping data of tens of millions of customers. The retailer has reached a settlement with 47 states (and the District of Columbia) that will have it pay a collective $18.5 million and institute key reforms. It'll have to separate its card data from the rest of its network, further control access to its network (such as by implementing two-factor authentication) and run "appropriate" encryption policies. It'll also have to implement a "comprehensive" info security program with a dedicated executive, and hire an outside firm for security reviews.
As far as settlements go, this is one of the smaller examples. Target is shelling out more than the $10 million it paid to individual victims, but the current settlement is peanuts compared to the $39 million paid to banks and the $67 million Visa agreement. It's barely comparable to the $19 million MasterCard payout.
However, this will likely serve as yet another reminder that lax security (such as Target's decision to ignore hack alerts for 12 days) can have long-lasting consequences for retailers, let alone customers. It also represents a closure of sorts Target can spend less time dealing with the fallout from the breach and focus more on reducing the chances of a repeat disaster.