Card Not Present Fraud , Incident & Breach Response , Managed Detection & Response (MDR)
Will Banks Drop Target Lawsuit?
Judge Denies Banks' Motion to Block MasterCard SettlementA Minnesota judge's decision to deny a motion by banking institutions to block MasterCard's $19 million settlement with Target Corp. on behalf of card issuers affected by the retailers' massive 2013 breach isn't likely to be appealed, experts say (see Banks Try to Block Target Settlement).
See Also: Effective Communication Is Key to Successful Cybersecurity
In fact, one cybersecurity attorney says this ruling could discourage the banks and credit unions that in 2014 filed a class-action suit against Target from pushing forward.
While the case is set to go trial next spring, attorney Chris Pierson, chief security officer at invoicing and payments provider Viewpost, says this settlement ruling isn't likely to be appealed, and could even leave institutions believing that it makes more sense to just accept the settlement, rather than invest in further legal proceedings.
"Banks will have to decide how much time and money they want to put into pursuing their own legal options, as opposed to signing onto the settlement [for card issuers] negotiated by MasterCard," he says. "It is unlikely banks will appeal and more likely that 18 months after the breach, banks choose not to dedicate legal resources toward chasing this action. ... In this case, it appears more likely than not that the banks do not pursue further action."
Pierson says smaller institutions have fewer options, and can't really afford ongoing legal expenses. And larger institutions have already written off the 2013 and 2014 costs and absorbed the losses, he adds.
Financial fraud expert Shirley Inscoe, an analyst at consultancy Aite, says MasterCard's settlement reflects how unbalanced network reimbursements to issuers for retail breach costs actually are.
"This settlement is such a shame," Inscoe says. "It is hard to imagine how MasterCard could have accepted such a paltry amount on behalf of its issuers. Clearly, MasterCard does not have any understanding of the true cost of dealing with fraud in a financial institution, but it is hard to imagine how they can fail to understand the cost of reissuing cards. ... As usual, retailers' lack of adequate security results in huge costs for issuers, and the issuers have to absorb the bulk of the cost."
The Settlement
Card issuers have until May 20 to decide whether to agree to the payout being provided by Target under the terms of the settlement with MasterCard. No such settlement with Visa has yet been announced. Banks and credit unions that accept the settlement forfeit their rights to pursue additional compensation through the class-action lawsuit.
But Charles Zimmerman, co-lead counsel for the banking institution plaintiffs in the class-action suit against Target, says he is advising his clients to reject the settlement, in hopes of a higher payout when the class-action case goes to trial next year.
"We will continue communicating with financial institutions about the importance of rejecting this Target-MasterCard 'settlement' in order to seek proper compensation for losses resulting from this data breach," Zimmerman says in a statement provided to Information Security Media Group.
Judge's Denial of Injunction
On May 7, U.S. District Judge Paul Magnuson, ruled that there was no legal justification for blocking the settlement between Target and MasterCard, even though he questioned the settlement's fairness.
The settlement arose from MasterCard's demand that Target pay more than $26 million to MasterCard-issuing banking institutions for damages they suffered as a result of Target's breach, Magnuson points out. "The parties eventually agreed that Target would pay MasterCard $19 million," the judge wrote.
However, Magnuson also pointed out that he did not agree with all of the terms outlined in the settlement, in particular, the brief time frame during which banking institutions have to decide whether to accept the terms of the settlement.
The judge noted in his ruling: "At the very least, the way this issue has arisen is neither fair nor is it how the court expects attorneys to conduct themselves in litigating matters before the court. But the court cannot enjoin a proposed settlement in this situation because it suspects that neither the settlement nor the putative class's options are completely fair. The court may act only if there is 'misconduct of a serious nature.' Although the settlement may not 'pass the smell test,' as the saying goes, it is not serious misconduct."
Reaction to the Ruling
Target spokeswoman Molly Snyder says the retailer is pleased with the court's decision. "We believe this will allow us to resolve claims with participating MasterCard issuers and avoid protracted litigation with those issuers," she says.
Seth Eisen, spokesman for MasterCard says: "We're pleased that Judge Magnuson recognized it would not be appropriate to enjoin the settlement we reached with Target. Each impacted bank and credit union will review the terms and make an independent decision on whether to accept the settlement."
But Zimmerman, the attorney for the banks, contends: "The court's opinion is a harsh indictment of the 'settlement' proposed by Target and MasterCard, and should give financial institutions great pause before accepting this flawed and inadequate agreement. We agree with Judge Magnuson that 'the terms of the settlement do not appear altogether fair or reasonable' and that it may not 'pass the smell test'. The court's findings further underscore that the agreement between Target and MasterCard is nothing more than an attempt by Target to avoid fully reimbursing financial institutions for losses they suffered due to one of the largest data breaches in U.S. history."