Target, Visa Reach Breach SettlementPayout Reportedly Capped at $67 Million
(Note: This story has been updated.)
Visa and retail giant Target have reached an agreement that reportedly will reimburse card issuers a total of up to $67 million for fraud losses and other expenses tied to the retailer's 2013 breach, which exposed an estimated 40 million credit and debit cards.
While The Wall Street Journal, quoting people familiar with the deal, places the value of the agreement at up to $67 million, Visa and Target, in acknowledging an agreement has been reached, have yet to confirm its value.
In a statement provided to Information Security Media Group on Aug. 18, Target states that it reached a settlement agreement with Visa on Aug. 17, after Visa's largest card issuers agreed to the terms of the deal.
"As a result, offers are being extended to the remaining group of eligible Visa issuers using a settlement formula that would enable them to achieve the same economics as the Visa issuers that have already settled with Target and Visa," Target says. "The costs of the settlement are already reflected in Target's previously reported fiscal 2013 and 2014 results."
On Feb. 25, Target reported that its card breach cost the retailer $252 million, with $162 million of that amount not covered by insurance. Target did not say, however, how much of that cost had been allocated for payment to the card brands.
Visa declined to elaborate about the agreement. In a statement provided to ISMG on Aug. 18, Visa notes: "This agreement attempts to put this event behind us, and increase the industry's focus on protecting against future compromises with new technologies. Nevertheless, the fact remains that data breaches are an unfortunate situation for all parties involved - especially consumers."
In May, card issuers rejected Target's $19 million settlement proposal with MasterCard. That agreement had required acceptance by 90 percent of issuers to move forward.
MasterCard at the time said it was working to "resolve the matter." No further announcements have been made.
And a class action lawsuit filed against Target by U.S. banks and credit unions is still pending (see Banks Suing Target Make New Demands).
As an incentive to accept the deal, Target has reportedly offered to reimburse issuers for any fraud losses related to certain debit transactions that resulted from the breach, as long as those issuers agree not to sue Target, according to The Wall Street Journal.
Reaction to the Deal
Charles Zimmerman of Zimmerman Reed PLLP, who's representing banks and credit unions in their class action suit against Target, charges that the settlement with Visa represents the retailer's attempt to avoid fully reimbursing card issuers for the losses they suffered because of the retailer's breach.
"Just as with the proposed MasterCard settlement - resoundingly rejected by financial institutions in May - this deal was negotiated under a veil of secrecy without the involvement of the court or the court-appointed legal representatives of financial institutions," Zimmerman says. "Importantly, it fails to fully reimburse card issuers for the substantial losses suffered from the Target data breach."
As a result, Zimmerman recommends that banking institutions that have not yet agreed to the deal do nothing. "They will receive a fraction of their recovery automatically under Visa's Global Compromise Account Recovery program, which does not require a release of claims," he says. "Financial institutions should not accept the optional alternative recovery offer that requires signing a release."
Zimmerman argues that this alternative offer, which covers certain debit transaction losses, also should be reconsidered by the banking institutions that have already agreed to it. "A class certification motion is currently pending in the Target data breach litigation, which seeks to hold Target accountable for damages far greater than what has been offered under this settlement," he says.
A hearing regarding class certification has been scheduled for Sept. 10. On Aug. 13, a U.S. District Court in Minnesota agreed with the plaintiffs' arguments that the class-certification brief and other files related to the case should be unsealed.
The Independent Community Bankers of America and the National Association of Federal Credit Unions also say that Visa's agreement with Target falls short. And they say legislative action is needed to ensure retailers enhance security so that breaches don't occur in the first place.
"While this settlement helps address the costs of the Target breach, stronger federal data security and cybersecurity laws are needed to prevent retailer data breaches from happening in the first place," the ICBA notes.
Carrie Hunt, senior vice president of government affairs and general counsel for NAFCU, notes: "We continue to urge Congress to act to protect consumers' financial information by enacting national data security standards for retailers and holding them directly accountable for their data breaches. This settlement is a step in the right direction, but it still may not make credit unions whole."
The reimbursement formulas set by the card brands for banks and credit unions impacted by retail breaches have long been criticized by bankers.
In February 2014, when fallout from the Target breach was just being estimated, Viveca Ware of the Independent Community Bankers of America said Visa and MasterCard's programs for reimbursing issuers only cover a portion of the fraud losses and operational expenses banking institutions must bear.
"The restitution of the recovered amounts are just really small in comparison to the cost and fraud losses, and the immeasurable cost of payment system reputational damage," Ware said.
In May, Visa agreed to increase the amount it pays to banking institutions that are adversely impacted after a merchant breach (see Why Visa's Paying Banks More after Breaches).
According to the American Bankers Association, which worked with Visa to increase the post-breach-recovery amount paid to card issuers, Visa's new tiered system pays smaller card issuers, such as community banks, more than large issuers for breach-related recovery.
Rather than paying $2.50 for each re-issued card - which historically was the rate paid to every institution impacted by a breach - banking institutions with less than $500 million in annual Visa purchase volume will now be paid $6 per for every card they have to reissue in the wake of a breach at a merchant, the ABA said.
The ABA said it's been lobbying card brands for a year to re-assess their reimbursement structures. So far, only Visa has made any changes, the ABA noted.
MasterCard, which already reimburses card-issuers on a tiered scale, has made no announcements about alter its reimbursement amounts.