Card Not Present Fraud , Fraud Management & Cybercrime , Incident & Breach Response
Target Settlement: What About the Banks?
Assessing Impact on Pending Lawsuit Filed by BanksTarget Corp.'s pending settlement of a consolidated consumer class action suit is more about public relations and corporate positioning than it is about actually compensating victims, some information security and legal experts say (see Target Breach Consumer Lawsuit to Proceed).
See Also: 57 Tips to Secure Your Organization
And the settlement, which gained preliminary court approval March 19, likely will have no impact on the lingering consolidated class action lawsuit filed on behalf of banks, one legal observer says.
In December, a federal judge denied Target's motion to dismiss the bank's suit (see Target Breach Suit Won't Be Dismissed). The banking institutions' suit seeks compensation from Target for certain breach-related expenses, such as reissuing affected payment cards and covering the cost of fraud.
The December 2013 Target breach exposed 40 million credit and debit card details and the personal information of approximately 60 million customers (see Suits Against Target Make 'Statement')."The consumer claims and the bank claims are entirely different animals," says one legal expert, who asked to remain anonymous. "I do not think the consumer settlement will drive a bank settlement in any way, other than Target may want to settle them both, as a business decision, to get past the litigation and get back to doing business."
Proposed Consumer Settlement
Under the pending settlement of the consumer lawsuit, Target agrees to put $10 million into an escrow account to compensate breach victims for losses they can document, up to $10,000 per person. Then, whatever is left over is to be split among all breach victims who state under oath that they were impacted by Target's breach.
Target also has agreed to pay up to $6.75 million in related attorneys' fees and expenses.
Some security and privacy experts say Target's settlement didn't go far enough in helping consumers.
"They got off easy. On the other hand, eBay did far more damage and is getting off 'scot free,'" says William Murray, an information security and technology consultant. The 2014 breach at eBay resulted in the compromise of personally identifiable information for 145 million customers.
"Wouldn't it have been so much better if, instead of this empty gesture, Target had made a donation to the small group of nonprofits that support victims of identity theft and clean up the mess left be companies like Target?" asks security and identity theft expert Neal O'Farrell, who's the executive director of nonprofit group The Identity Theft Council.
But others think Target's data breach - and the class-action settlement - could help make information security and data breach prevention a higher priority at other businesses.
"This settlement extends the obligations of organizations who are custodians of sensitive personal and financial data from focusing on just financial and reputational risk to considering legal risk even more strongly than they have in the past," says Rob Sadowski, director of technology solutions for RSA. "They need to invest in the people, processes and security technologies that will enable them to mitigate these risks - detecting and responding to incidents before they turn into damaging breaches."
$10,000 Cap
One notable aspect about the pending Target settlement is that it involves compensating victims directly for the documented losses they incurred. While this will create additional work for victims who lost money, Eva Casey-Velasquez, president and CEO at Identity Theft Resource Center, says losses should be relatively easy to document.
Some Target breach victims told ITRC that criminals had drained cash from their bank accounts after their debit card data was stolen, and that not all of this money was reimbursed by their bank. "I am hoping that those people who were victimized will be able to go through these processes and recoup losses," she says.
Under federal law, victims are required by law to be reimbursed by card issuers for fraudulent credit card fraud charges. No such protections apply to debit card purchases, although many banking institutions do repay cardholders who've been impacted by debit fraud.
State Law Affects Bank Lawsuit
Although Target was able to settle the consumer lawsuit, settling the suit filed by banks and credit unions might be a bit trickier. That's because a statute in Minnesota, where Target is based, provides certain protections for card issuers that suffer losses because of a retail breach (see Bank Files Unique Suit Against Target).
One of the bank lawsuits that was consolidated, which was filed by Oregon-based Umpqua Bank, alleges Target violated the Minnesota Plastic Card Security Act, which prohibits retailers doing business in the state from retaining sensitive magnetic-stripe data after authorization of a card transaction. If a retailer violates that prohibition, it must reimburse any financial institution for losses incurred as the result of a breach that required cards to be issued.
Umpqua's complaint alleges that Target improperly stored card data, thus violating the Minnesota statute as well as the Payment Card Industry Data Security Standard.
None of the institutions named in the class-action suit against Target would comment about the pending litigation to Information Security Media Group.