Is the Target Breach Settlement Fair?So Many Questions About $39 Million Proposal Remain Unanswered
Determining the "fairness" of Target's proposed $39 million settlement with financial institutions affected by the retailer's 2013 breach is impossible until we find out the answers to many questions, including how many banks and credit unions qualify (see Target Reaches Settlement with Banks).
See Also: What is next-generation AML?
Two years ago, a group of banks filed a a class action lawsuit against Target in hopes of recouping breach-related expenses above and beyond what the card networks provide through their recovery and data compromise programs.
"Sadly, the only parties profiting under the current process are the criminals and the attorneys."
In a statement provided to Information Security Media Group shortly after a district judge in Minnesota granted preliminary approval of the proposed settlement, Randy Diers, president of Village Bank, one of the banks involved in the suit, said: "While we wish the Target data breach had never occurred, we felt obligated to represent the class of financial institutions throughout the United States. This settlement represents the best possible outcome for financial institutions, as it provides immediate and fair compensation and will hopefully help prevent the occurrence of similar data breaches in the future."
While I'm happy to see that a settlement has finally been reached, it's not yet clear whether it's truly "fair."
That's because we don't know how many banks and credit unions accepted previous settlements from the card brands, which makes them ineligible for benefitting from the lawsuit settlement. We also don't know how much card issuers affected by the breach were compensated by the card brands as part of their recovery and data compromise programs.
Ultimately, the court will decide the "fairness" of this settlement when it issues a final ruling on May 10, 2016. But in granting preliminary approval on Dec. 2, a judge called the suit "fair, reasonable and adequate."
Payout Details, So Far
The proposed Target settlement with the banks would apply to all U.S. banking institutions impacted by Target's breach that did not waive their right to participate in the lawsuit by participating in the $67 million settlement negotiated by Visa or the $19 million MasterCard settlement.
In May, card issuers rejected Target's initial settlement with MasterCard. But Seth Eisen, a spokesman for the card brand, told me that MasterCard actually reached a second settlement with Target in August for the same amount, though the details were never made public, and no statement about the settlement was ever posted.
The Mystery of Rules of Recovery
The methods the card networks use to determine post-breach settlement offers are not easy to comprehend. They use complex and somewhat mysterious algorithms to determine how much is paid to issuers as part of their recovery and data compromise programs.
Merchants say these expenses are covered by interchange fees they pay to Visa and MasterCard. But no one knows what percentage of those interchange fees is being put toward reimbursements for issuers, or how the card networks determine the payouts.
Retailers argue that because the interchange fees they pay to Visa and MasterCard are designed to cover breach-recovery expenses, they shouldn't be asked to reimburse banks for additional breach-related expenses, as Target is doing as a result of its lawsuit settlement.
But bankers argue that the "pennies on the dollar" they receive from the card networks in the wake of a breach don't come anywhere close to covering overall costs associated with reissuing cards and refunding customers for fraudulent account activity that hits after cards are compromised. And because retail breaches have become so common, the losses banks and credit unions once absorbed have become unbearable to manage, they contend.
We'll never know if the bankers' argument has merit unless the card networks' operator rules and policies are revealed. It's baffling how publicly traded companies such as Visa and MasterCard can remain so cryptic about their reimbursement fee structures and funding - and it's a sore point for bankers and retailers alike.
In an interview shortly after the Target breach, Viveca Ware, executive vice president of regulatory policy for the Independent Community Bankers of America, explained how the card networks maintain an upper-hand that's impossible for issuers and retailers to challenge. "Visa and MasterCard do have programs that enable issuers to recoup a portion of losses and operational expenses related to mag-stripe counterfeit fraud losses," she says. "But this restitution is only available when the networks declare that a particular breach is eligible for the program."
Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner, contends that Visa and MasterCard have an unfair advantage, and virtual control, over the U.S. retail payments market.
"This is a fair market issue that the U.S. Department of Justice has not adequately addressed, in my opinion," she says. "So, given this situation, the retailers have been put in an unfair position."
Shirley Inscoe, a financial fraud expert and analyst at the consultancy Aite, says determining the "fairness" of the proposed Target settlement is impossible.
"This proposed settlement is difficult to comment on without a lot more information," she says. "For example, it is unclear which - or how many - financial institutions are eligible to make claims against the $39 million. Compared to the number of consumers impacted by this breach, the amount is a pittance. Similarly, the amounts of previous settlements with Visa and MasterCard were so paltry, they were laughable."
Inscoe contends there has never been a post-breach settlement offered through either network that has come close to compensating banks and credit unions for all of the breach-related expenses and fraud losses they have had to cover. "Sadly, the only parties profiting under the current process are the criminals and the attorneys," she says.