Target Court Win May Burden Retailers
Target may have gotten what it wanted on May 7 when a U.S. District Court judge green-lighted its $19 million settlement with MasterCard, but the win may come back to haunt it and other retailers.
Card issuers now have until May 20 to decide if they’ll accept the highly-criticized settlement offer related to Target's massive 2013 data breach, but concerns about the settlement's size, the exclusion of card issuers from the negotiations, and the requirement to forfeit future rights to sue Target may fuel a growing crusade to make Target and other retailers liable for the havoc their data breaches wreak.
At least 90% of the eligible MasterCard issuers have to accept the settlement by the deadline in order for it to proceed, but now the question is whether they will do so. Despite ruling that MasterCard and Target were free to exclude issuers from the settlement negotiations because the issuers weren't a certified class, which would have made it a class-action suit, U.S. District Court Judge Paul Magnuson expressed concern about the settlement's fairness.
“The court agrees with plaintiffs’ counsel that the terms of the settlement do not appear altogether fair or reasonable,” he wrote, adding, “Although the settlement may not ‘pass the smell test,’ as the saying goes, it is not serious misconduct.”
Attorneys Charles Zimmerman and Karl Cambronne, who asked for the injunction on behalf of Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings of Lorain, said in a statement to CU Times they discourage credit unions from accepting the offer.
“The court's opinion is a harsh indictment of the ‘settlement’ proposed by Target and MasterCard, and should give financial institutions great pause before accepting this flawed and inadequate agreement,” they said. “The court's findings further underscore that the agreement between Target and MasterCard is nothing more than an attempt by Target to avoid fully reimbursing financial institutions for losses they suffered due to one of the largest data breaches in U.S. history. We will continue communicating with financial institutions about the importance of rejecting this Target-MasterCard ‘settlement’ in order to seek proper compensation for losses resulting from this data breach.”
But it might not be so easy for credit unions to reject the settlement offer, according to Diana Dykstra, president/CEO of the California and Nevada Credit Union Leagues.
“I think the credit unions are going to have to decide, if they don't sign to get some of that recovery, are they going to get in trouble with MasterCard or do they then have an opportunity to turn around and file a separate suit,” she said. “You’re leaving money on the table by not taking the settlement, although it's probably going to be pennies on the dollar.”
That's why attention could quickly shift to the litigation on the 2014 Home Depot data breach, which involved 56 million cards. Like the Target breach, the Home Depot breach involved card reissuance – but it also involved massive fraud, she explained.
Read more: Credit unions willl likely try to prevent card companies from negotiating on their behalf ...
“Visa and MasterCard have always stood in when they’re negotiating settlements over the years, but we didn't have these massive repeated data breaches. So I think it's a very antiquated system and, quite frankly, the card company plays both ends of the deal,” Dykstra said.
After the May 7 decision, credit unions will likely work to prevent card companies from negotiating on their behalf again.
“We’ve got a credit union in almost every state to represent the class at the state level so we can avoid something like the Target settlement,” she said of the Home Depot litigation.
NAFCU and CUNA are also coming hard after retailers. In recent weeks, both organizations threw their support behind the Data Security Act of 2015, which they said would require retailers to meet the same data-storage standards credit unions must already obey under the Gramm-Leach-Bliley Act.
Under the bill, companies that suspect a breach would have to assess the nature and scope of the incident, as well as tell federal law enforcement and consumer reporting agencies right away if a breach involves information belonging to more than 5,000 consumers. The bill, which was introduced in the Senate on April 16 and in the House on May 4, also requires companies to notify consumers about breaches by mail, telephone or email.
“While we appreciate that the settlement attempts to hold Target somewhat accountable, we were hoping it would be more than just pennies on the dollar,” NAFCU President and CEO Dan Berger said. “We believe that this demonstrates the reason why Congress must act to protect consumers’ financial information by enacting stronger standards and holding retailers and merchants directly accountable for their data breaches.”
CUNA President and CEO Jim Nussle added, “This common sense legislation ensures that those who accept cards as payment are held to the same standard as those who issue cards for payment.”
Meanwhile, with credit unions receiving alerts about potential breaches once every 2.2 days, according to a February 2015 NAFCU survey, the upcoming May 20 deadline is likely just another to-do on the task list. But it's a tough one.
“I can't speak for what I think they should do,” Dykstra said. “They need to weigh those decisions. I don't know if they’ll get anything better.”