Will MasterCard, Target Renegotiate?Banks Reject Breach Settlement, Push Forward with Lawsuit
MasterCard's $19 million breach-expense settlement with Target on behalf of its card issuers has been derailed after an insufficient number of banking institutions chose to accept the terms of the deal.
See Also: DevOps - Security's Big Opportunity
But what will happen next, now that the issuers have walked away from a deal they viewed as offering inadequate reimbursement for their breach expenses?
One payments security expert says MasterCard will likely renegotiate its settlement to avoid lengthy litigation. Meanwhile, an attorney representing banks and credit unions involved in a class-action lawsuit against Target, which seeks to recoup breach-related expenses, says the suit will push forward.
John Buzzard, who heads up FICO's Card Alert Service, says MasterCard is likely to offer a new settlement that better meets the expectations of issuers.
"I'm surprised the settlement didn't pass, and at the same time, I can totally understand why there is reluctance to accept a number that seems small to many issuers," he says. "I would imagine that renegotiation could be on the table again. A lengthy court battle and the complexities involved in a class action lawsuit could be mired in red tape for years."
Charles Zimmerman, co-lead counsel for the banking institution plaintiffs in the class-action suit against Target, says banks and credit unions agreed the settlement was unfair and decided they would rather push forward with their class-action suit, rather than agree to a settlement that provides inadequate reimbursement for their substantial breach-related expenses.
"We are pleased that financial institutions have resoundingly rejected Target and MasterCard's attempt to avoid fully reimbursing the losses suffered during one of the largest data breaches in U.S. history," Zimmerman said in a statement provided to ISMG. "Financial institutions clearly saw through Target's misleading statements and efforts to extinguish pending legal claims for pennies-on-the-dollar. We will continue working to hold Target accountable and ensure that all affected financial institutions receive proper compensation for losses resulting from this data breach."
MasterCard did not respond to ISMG's request for comment. But the Star Tribune in Minneapolis, where Target is based, reports that MasterCard says it's "working to resolve the matter."
Target spokeswoman Molly Snyder confirms MasterCard failed to get enough banks and credit unions to agree to the settlement's terms by the May 20 deadline.
"The April 16 settlement agreement between MasterCard International Inc. and Target was to become effective if eligible issuers of at least 90 percent of all qualified accounts opted in to the settlement by May 20, 2015," Snyder tells Information Security Media Group. "MasterCard has informed Target that the 90 percent threshold was not reached by the May 20 deadline. Target has nothing further to share at this time."
Visa is working with Target and banking institutions to come up with a viable breach-expense recovery strategy, a Visa spokeswoman tells ISMG.
"Visa continues to work with Target and its acquiring financial institutions regarding any potential liability under Visa's Global Compromised Account Recovery program," the spokeswoman says.
Setting a Precedent?
Attorney Chris Pierson, chief security officer at invoicing and payments provider Viewpost, says banks' and credit unions' reluctance to agree to the terms of MasterCard's settlement with Target should serve as a wake-up call to the card brands.
"The failure of this settlement to pass is new ground that the card associations will need to consider and grapple with in this specific matter, and going forward with other notable breaches," he says. "The change in behavior may underscore the underlying frustration of fraud fallout from card-centric breaches."
Pierson says this case exemplifies why responsibility for cybersecurity must fall on the shoulders of more than just the banking institutions. "All financial institutions, card associations and others involved in the payment ecosystem will need to pay attention to this case, the positioning, and communications of the parties, as the balance of harm and risk, as it relates to financial crime and cybersecurity, is shifting."
Financial fraud expert Avivah Litan, an analyst with the consultancy Gartner, says it's difficult to evaluate the fairness of the terms of the derailed Mastercard settlement with Target without knowing how much MasterCard originally paid issuers for their card reissuance-related expenses connected to the Target breach.
"What I am reading behind the lines is that the large banks came out whole and the small ones came out in the hole," she says. "It doesn't seem to be a level playing field, and it appears that the small issuers suffer as much from credit card network policies as they do from the retailer breaches."
Litan notes than an American Bankers Association survey of 535 banks last year found that almost three-quarters of banks with assets below $1 billion did not receive any reimbursement for breaches between 2009 and 2014, while all banks with assets above $50 billion were reimbursed (see Why Visa's Paying Banks More after Breaches).
Class-Action Suit Pushes Forward
Last year, banks and credit unions impacted by the Target breach filed a class-action suit against Target, seeking reimbursement for fraud losses and card-reissuance expenses they suffered as a result of the Target breach, which in November 2013 exposed 40 million U.S. debit and credit cards.
In April, banking institutions involved in that class-action tried to block MasterCard's settlement with Target, which was announced earlier that month (see Target, MasterCard Settle Over Breach and Banks Try to Block Target Settlement). Earlier this month, U.S. District Judge Paul Magnuson, denied the motion to block the settlement, saying there was no legal justification for blocking the settlement, although he noted in his ruling that he questioned the settlement's fairness (see Will Banks Drop Target Lawsuit?).
In his ruling, Magnuson stated that he did not agree with all of the terms outlined in the settlement, which started out at $26 million but then dropped to $19 million. In particular, he said he was disappointed with the brief time frame banking institutions had to decide whether to accept the terms of the settlement.
"At the very least, the way this issue has arisen is neither fair nor is it how the court expects attorneys to conduct themselves in litigating matters before the court," Magnuson stated in his ruling. "But the court cannot enjoin a proposed settlement in this situation because it suspects that neither the settlement nor the putative class's options are completely fair. The court may act only if there is 'misconduct of a serious nature.' Although the settlement may not 'pass the smell test,' as the saying goes, it is not serious misconduct."
Carrie Hunt, senior vice president of government affairs and general counsel for the National Association of Federal Credit Unions, says card issuers impacted by the Target breach deserve to be compensated more than pennies on the dollar.
"Credit unions deserve to be fully compensated for their losses that were no fault of their own," Hunt says. "The failure to opt-in to the settlement by financial institutions sends a strong signal to card companies that the current reimbursement system does not work and financial institutions need to be made whole."
A status conference related to the class-action suit has been set for May 26.