California will receive more than $1.4 million from the settlement, the largest amount of any state, according to California Atty. Gen.
"Families should be able to shop without worrying that their financial information is going to get stolen, and Target failed to provide this security," Becerra said in a statement. "This should send a strong message to other companies: You are responsible for protecting your customers' personal information."
Alabama, Wisconsin and Wyoming were not part of the settlement announced Tuesday.
As part of the settlement, the Minneapolis-based retailer will also be required to employ an executive to manage a "comprehensive information security program" and advise the company's chief executive and its board of directors, according to the statement from Becerra's office.
Target must hire an independent third party to do a comprehensive security assessment, according to a statement from the New York attorney general's office. It has to add other cybersecurity measures, including encrypting payment card information so the data are useless if stolen, separating its cardholder data from the rest of its computer network and instituting password rotation policies and two-factor authentication for certain accounts.
Target said it was "pleased to bring this issue to a resolution for everyone involved." The retailer added that the costs associated with this settlement were "already reflected in the data breach liability reserves that Target has previously recognized and disclosed."
Target has since overhauled its security systems and settled other lawsuits related to the breach, including one from credit card company Visa Inc. A $10-million settlement for a class-action lawsuit brought by consumers is still going through the court system, though it received approval from a federal judge in 2015.
Target shares fell 1.7% on Tuesday to $54.49.
3 p.m.: This article was updated with Target's stock movement.
10:20 a.m.: This article was updated with information about a class-action lawsuit.
9:30 a.m.: This article was updated with information about additional cybersecurity measures Target will be required to adopt as part of the settlement, and with the names of the states that were not part of the settlement.
8:40 a.m.: This article was updated with a comment from Target.