Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Target Reaches Settlement with Banks
Proposal Calls for $39.4 Million to Help Cover Costs of Data BreachTarget Corp. has reached a proposed $39.4 million settlement with a group of banking institutions that sued the retailer over fraud losses and expenses suffered as a result of Target's December 2013 data breach.
See Also: Effective Communication Is Key to Successful Cybersecurity
A district court in Minnesota on Dec. 2 granted preliminary approval of the settlement; a final approval hearing has been set for May 10, 2016.
"This settlement is a strong and important result for those financial institutions that sustained losses as a result of the Target data breach, providing compensation well beyond what the card brand networks offered," according to a statement from Charles Zimmerman, lead counsel for the plaintiffs, and plaintiffs' co-counsel. "It also sets an important precedent that financial institutions should not always have to bear the burden of extensive costs related to merchant data breaches over which they have no control."
The proposed agreement comes after nearly two years of legal wrangling in the courts between Target and U.S. banking institutions involved in the settlement. Earlier this year, banking institutions' right to file a class action suit against Target had been upheld by the court (see Target Breach Suit Won't Be Dismissed and Why Target Could Owe Banks).
Target's breach compromised some 40 million payment cards.
Eligible Institutions
The settlement, according to a statement from plaintiffs' attorneys, will apply to all U.S. banks and credit unions that issued debit and credit cards affected by Target's breach that did not previously release their claims, such as by agreeing to settlements offered by Visa or MasterCard (see Target Breach: MasterCard Weighs New Settlement).
Target in August agreed to pay Visa card issuers up to a reported $67 million to cover their breach-related expenses. In May, card issuers rejected Target's $19 million settlement proposal with MasterCard. But Seth Eisen, a spokesman for MasterCard, says the card brand reached a second settlement with Target in August for $19 million, although the details were never made public.
The newly announced proposed settlement payout of up to $39.4 million includes:
- Up to $20.25 million that Target will pay directly to settlement class members, as well as for the notice and administration of the settlement.
- A $19.1 million payment by Target to fund MasterCard's Account Data Compromise program related to the data breach.
If the settlement wins court approval, eligible banking institutions will be able to submit a claim form to receive a cash payment, which will be in addition to funds already received through Visa's Global Compromised Account Recovery program, MasterCard's Account Data Compromise programs and other card brand reimbursement programs.
Banking institutions that are part of the class action will receive a court-authorized notice and claim forms by mail or through the settlement website.
Payments will be made after the settlement is approved by the court and any appeals have been completed.
Precedent-Setting?
One legal expert, who asked not to be named, says Target's pending settlement with the banks won't necessarily pave the way for similar settlements with other breached retailers.
That's because Minnesota, where Target is based, has a unique statute, the Minnesota Plastic Card Security Act, that requires breached merchants to reimburse card-issuing institutions for expenses and losses they suffered as a result of the breach.
District Judge Paul Magnuson has applied that Minnesota statute to all claims made in the class action suit by banking institutions impacted by the breach, regardless of where those institutions are located, the expert says. "This statue drove this case, and ultimately, after several favorable rulings based on it, the settlement."
In his Dec. 2 order, Magnuson reiterated that the banks' claims that Target violated the Minnesota statute were valid.
But attorney Chris Pierson, chief security officer at invoicing and payments provider Viewpost, believes the Target settlement with the banks is likely to have a far-reaching impact, despite the implications of the Minnesota statute.
"This settlement indicates that banks and others in the payment ecosystem are going to try to make themselves whole after breaches affecting their customers and cards," Pierson says. "This settlement is more significant because the smaller financial institutions have indicated they will not approve settlements for financial institutions that are not addressing their unique needs and financial harms."