Will Banks Reject Home Depot Breach Settlement?Attorneys say Proposed MasterCard, Home Depot Settlement 'Confuses' Issuers
Reports of a possible settlement between MasterCard and Home Depot to compensate card issuers affected by the home-repair retailer's 2014 data breach have created confusion and frustration for some banks and credit unions, say attorneys representing institutions in a class action lawsuit against the retailer.
Plaintiffs' attorneys say that letters sent to banks and credit unions about the settlement were misleading, in that they suggested that in order to receive payment from the settlement, banking institutions would have to forfeit their rights to seek additional compensation through a class-action suit.
In reality, however, plaintiffs' attorneys say banks and credit unions are under no obligation to forfeit their rights to pursue additional payment, even if they do accept payment from the proposed settlement, for which financial terms have not been disclosed.
On Nov. 30, those attorneys filed a motion to have the court force Home Depot to immediately disclose details of the settlement.
"Until Home Depot discloses all the facts relating to its agreement with MasterCard, financial institutions should reject any settlement that does not offer significant reimbursement for their losses beyond what they are already entitled to receive under MasterCard's rules without releasing their legal claims," the attorneys say in a statement about the settlement proposal.
The attorneys also allege that Home Depot has concealed critical terms of its agreement with MasterCard, "which was negotiated in secret without the involvement of the court or court-appointed plaintiffs' counsel." Additionally, they say that banking institutions have been given less than a week to make a decision about whether to accept the settlement.
A spokesman for MasterCard told Information Security Media Group: "We, like other payment networks, have been in negotiations with The Home Depot to settle claims related to its 2014 data breach. As part of those negotiations, we have presented offers to several issuing customers significantly impacted by the breach. Those offers provide an option to resolve the matter with a defined financial reimbursement. But, the decision is theirs; they maintain the right to choose to continue to pursue other options."
Home Depot on 'Tentative Settlement'
Stephen Holmes, a spokesman for Home Depot, says Home Depot has not contacted any banking institutions about a settlement with MasterCard.
"There is a tentative settlement in place with MasterCard, but I can't discuss the details of the settlement," Holmes tells ISMG. "What I can tell you is that we did not send any communications, nor were we aware of any communications being sent."
Holmes says similar negotiations also are underway with other card networks, including Visa.
A Visa spokeswoman tells ISMG: "We continue to work with Home Depot and its acquirers regarding potential GCAR [Global Compromised Account Recovery] liability. We do not have updates to share at this time, but will do so as details can be confirmed."
Processors Contacted Banks and Credit Unions
Three payments and core processors - FIS, Fiserv and Vantiv - sent letters to banks and credit unions about MasterCard's proposed settlement with Home Depot, according to the Atlanta Business Chronicle. Each letter specifies response deadlines from Dec. 2 through Dec. 7. They note that any issuer that accepts the terms of the "alternative recovery offer," part of MasterCard's account data compromise program, forfeits its rights to pursue further compensation through the class action suit.
Here's an excerpt from the letter from Vantiv: "The funds designated for the Alternative Recovery Program are to settle claims for operational costs and fraud-related losses on MasterCard-branded cards believed by MasterCard to have been impacted by the Home Depot data breach. Each participating issuer will be compensated for the amount due to such issuer as calculated under MasterCard's ADC [Account Data Compromise] standards. If you wish to participate in the Alternative Recovery Program, please fill out and submit the form here by December 2, 2015. By participating in the Alternative Recovery Program, you will release MasterCard, Home Depot USA Inc. and its acquiring banks and processors from all claims related to the Home Depot data breach."
In its letter, FIS notes that the settlement will only become effective if 65 percent of all qualified issuers accept the settlement.
Attorneys for the plaintiffs in the class action suit against Home Depot argue that recovery paid out through the Account Data Compromise program to banks and credit unions impacted by a retail breach should be paid regardless of whether a class action suit seeking additional compensation is filed.
"The settlement uses MasterCard's Account Data Compromise (ADC) program to offer financial institutions partial recovery amounts for their losses sustained during the data breach," co-lead counsel attorneys note in their statement. "However, these settlements do not disclose to financial institutions that they are not required to sign a release in order to participate in MasterCard's ADC program, and should be able to retain their right to pursue legal claims against Home Depot."
Attorneys argue that the letters sent to banks and credit unions about the proposed settlement are "vague, contradictory and seem designed to confuse putative class members."
Shirley Inscoe, a financial fraud expert and analyst at consultancy Aite, says the lack of transparency about this proposed settlement "smacks of intimidation techniques and less-than-stellar ethics."
While it's standard for processors to send these types of communications to their bank and credit unions customers, she says the letters don't clarify many details for their customers. "I am surprised at the lack of quality communication," she says. "In a sense, they are literally just the go-between from the settlement reached by Home Depot and MasterCard; but this seems to be very poor customer service. While the processors do not really have a role here, except from a communications perspective, this paints them in a poor light."
Additionally, Inscoe says it's not clear why institutions would be asked, as part of the terms of the Account Data Compromise program, to waive their rights to possible compensation offered through a class-action suit. That's because settlements that fall under the card brands' breach-recovery programs, such as MasterCard's Account Data Compromise program, are standard routine and do not require institutions to waive their rights to additional compensation, she says.
"This appears to be the typical settlement between Home Depot and MasterCard, while trying to infer that any bank that bucks the settlement loses their right to litigate for greater compensation," Inscoe says. "I haven't seen this done in any previous data breach case."
Different from Target
Looking at the recent class-action settlement reached between issuers and Target over fraud and expenses associated with Target's 2013 breach, Inscoe's points are validated.
The class-action settlement recently reached between Target Corp. and issuers, if approved by the court, will offer compensation to banks and credit unions impacted by Target's 2013 that goes above and beyond what has already been paid out by card brands through their breach-recovery programs, such as Visa's Global Compromised Account Recovery program and MasterCard's Account Data Compromise program.
"The recently announced settlement in the litigation over Target's 2013 data breach proves that financial institutions do not need to accept the first offer they receive directly from the card brands," the attorneys for the banks suing Home Depot say in their statement. "By rejecting MasterCard's initial offer, financial institutions ultimately obtained significantly greater compensation in court. The Target settlement sets an important precedent by showing that financial institutions can achieve greater compensation for their losses through the legal system."