-
Let Target's settlement with MasterCard over the retailer's massive data breach serve as a reminder of the need for all participants in the payments system to play by the same set of rules.
May 20 -
A group of small banks and credit unions could not persuade a judge to block the settlement Target and MasterCard reached last month that would reimburse banks on the card network $19 million for losses related to the retailer's breach.
May 11 -
To obtain approval and funding for security improvements, bank technologists have to make their case by pointing to losses from recent security breaches. But calculating those losses can be tricky.
September 11
The proposed $19 million settlement to cover financial institutions' losses from the Target data breach in 2013 has failed, and financial institutions believe public data security fears provide a strong hand in future talks.
"The banks don't believe that they are in a position where they need to compromise on this," said Thad Peterson, senior analyst with the Aite Group, who added that the financial institutions will now push for "as close to a full recovery as they can get."
Financial institutions never liked the $19 million settlement between Target and MasterCard, which is well below their own cost estimates of nearly $18 billion. Financial institutions are also frustrated given the general trend of data breach settlements, which is usually far below the actual cost.
MasterCard issuers had to cast at least 90% of their votes in favor of the Target settlement by May 20, and not enough did, MasterCard and Target said. Voting power was allotted based on the volume on transactions, not one-vote-per-financial-institution. MasterCard did not release exact vote totals, though credit unions were said to lead the opposition, according to one analyst.
In late 2013, around 40 million Target customers had their information compromised in the second-largest data breach ever. A group of financial institutions, including Umpqua Bank in Portland, Ore., and CSE Federal Credit Union in Lake Charles, La., sued Target last year, claiming the retailer's poor security made the breach possible.
The deal now moves back to negotiations, with the prospect of going to trial hanging over both sides.
Lawyers working for the financial institutions issued a statement on May 22 applauding the settlement's rejection. "We are pleased that financial institutions have resoundingly rejected Target and MasterCards attempt to avoid fully reimbursing the losses suffered during one of the largest data breaches in U.S. history," said a statement issued by attorneys Charles Zimmerman and Karl Cambronne. "Financial institutions clearly saw through Target's misleading statements and efforts to extinguish pending legal claims for pennies on the dollar. We will continue working to hold Target accountable and ensure that all affected financial institutions receive proper compensation for losses resulting from this data breach."
In a phone interview, Zimmerman said the huge difference between bank losses sustained and what the $19 million settlement offered drove the rejection. "This is pennies on the dollar, because [banks and credit unions] have lost hundreds of millions cumulatively," he said.
The National Association of Federal Credit Unions also welcomed the settlement's rejection. "Credit unions deserve to be fully compensated for their losses that were no fault of their own," said Carrie Hunt, the association's senior vice president of government affairs and its general counsel. "The failure to opt in to the settlement by financial institutions sends a strong signal to card companies that the current reimbursement system does not work and financial institutions need to be made whole. Litigation does nothing to prevent future breaches. That is why we continue to urge Congress to act to protect consumers financial information by enacting stronger standards and holding retailers and merchants directly accountable for their data breaches.
Both MasterCard and Target issued their own statements, acknowledging that the threshold had not been met. "The alternative recovery offers were provided to issuers as a way to deliver to them certain and prompt payments for a portion of the costs they incurred as a result of the Target data breach, including card reissuance costs and fraud losses," said Jim Issokson, group head of North American communications for MasterCard. "At this stage, we will continue to work to resolve the matter."
Target's statement was short: "MasterCard has informed Target that the 90% threshold was not reached by the May 20 deadline. Target has nothing further to share at this time."
Peterson predicted that the settlement would go throughbut with more favorable terms for financial institutions. "This is probably more of a shot across the bow more than anything else. There is no Plan B at this time. They want to force renegotiations," he said. "The initial message to banks: 'It's OK to say no.' And for retailers? 'You better get your data secure because the potential for the cost of legal settlement just went up.' "
This litigation has shaken a very delicate and necessary working relationship between the financial institutions and retailers, said Richard Crone, a payments consultant. "Merchants are dependent on financial institutions and vice versa. They have to work together," he said, adding that the settlement was designed to end that relationship strain. "Target needs to resolve the data breach and they all want to put this behind them."
Crone stressed that had it been solely up to the banks, the settlement would have been approved. "What drove the nonapproval was the credit unions, not the banks," Crone said.
With any settlement negotiations, the incentives for both sides to settle generously speaks to how much each side fears going to trial, where this matter could be decided by a jury of consumers. Crone argued that it's the banks that have the most to fear from such a trial as evidence will make the banks look bad, laying the blame for long-standing payment card security weaknesses on those banks. "It won't be a trial of Target. It will try the entire payments ecosystem," he said. "Why is the bank putting my 16-digit number on my card? That's an oxymoron. The expiration date on the card? There's no need to expose that information."
A jury of consumers would most likely identify with the consumers who went into Target and then had their data stolen, Peterson said. "Jurors will be less sympathetic to Target. It was in fact [consumers'] information that was stolen. Consumers were impacted negatively because of this. Target will really want to settle."