Target, MasterCard Settle Over Breach
Retailer Offers Issuers a Total of Up to $19 Million
By Eric Chabrow, April 16, 2015.
Target has agreed to pay a total of up to $19 million to issuers of MasterCard payment cards over losses and expenses they incurred as a result of the retailer's massive 2013 breach.
See Also: Breaking Down Ease-of-Use Barriers to Log Data Analysis for Security
The settlement announced April 15 is contingent on issuers of at least 90 percent of the eligible MasterCard accounts accepting their offers by May 20. If sufficient issuers accept the offer, Target says they'll be paid by the end of June.
"This settlement provides our issuers a reasonable resolution of the Target data breach event," says Eileen Simon, MasterCard chief franchise integrity officer. "The timely reimbursement of costs and losses under the agreement delivers MasterCard issuers a faster and more certain resolution to the event, while reinforcing our commitment to maintain the integrity of industry security standards."
MasterCard, in a statement, says issuers that choose not to accept this offer will have their claims determined by MasterCard internal processes and may receive more or less than the amounts offered in this settlement, depending on various factors. Those include MasterCard's final determinations of their claims and the outcome of any litigation that Target might file to challenge claim awards to issuers outside of this settlement.
Target also is in negotiations with Visa for a breach-related settlement. "Visa takes very seriously our responsibility to work closely with its acquiring clients and Target to resolve this event," Visa spokesman Jake Standish says. "Visa continues to analyze all relevant information to ensure we reach a resolution that is accurate and fair to all Visa clients and participants in the payments system and we are committed to addressing and resolving this case expeditiously."
Reaction to SettlementWilliam Murray, an information security and technology consultant, says everyone benefits from the MasterCard settlement, even consumers. "The cost to Target is much less than that of extended litigation," he says, adding that the length for the two sides to reach a settlement seems reasonable. "I am pleasantly surprised at how quickly it has been done," he says. "Just clarifying the issues is time consuming. Arriving at an agreement in this time demonstrates good will on the part of all parties."
But Jim Nussle, chief executive of the Credit Union National Association, contends the settlement took too long. "It is about time that Target steps up to its responsibilities in this breach," Nussle says. "And it is long overdue for merchants to start living up to their responsibilities in protecting customers' sensitive information by adopting higher security standards."
Dan Berger, chief executive of the National Association of Federal Credit Unions, says the size of the MasterCard settlement was disappointing. "While we appreciate that the settlement attempts to hold Target somewhat accountable, we were hoping it would be more than just pennies on the dollar," Berger says. "We believe that this demonstrates the reason why Congress must act to protect consumers' financial information by enacting stronger standards and holding retailers and merchants directly accountable for their data breaches."
As Target and MasterCard announced their settlement, the House Energy and Commerce Committee passed a data breach notification and security bill that calls on companies to take "reasonable security measures and practices" to secure the personally identifiable information of customers (see National Data Breach Notification Bill Advances).
Target says the 2013 breach compromised at least 40 million payment cards and might have caused the pilfering of personal information from as many as 110 million people. The retailer has reported that its breach costs have totaled at least $252 million so far, with $90 million covered by insurance.
The retailer last month announced a pending $10 million settlement of a consumer lawsuit. Target and MasterCard did not immediately respond to requests for further comment.
Follow Eric Chabrow on Twitter: @GovInfoSecurity