In the latest settlement agreement reached in a lawsuit brought by banks following a retailer’s data breach, an Illinois federal court judge signed off on a $5.2 million deal involving a major U.S. retailer.

What happened

In late 2014, hackers allegedly compromised and stole the confidential financial and personal identifying information of a major retailer’s customers, including credit and debit card numbers, card expiration dates, card verification values, and other information belonging to those customers. A group of banks, credit unions and other financial institutions filed suit against the retailer in 2015, seeking payment for the cost of replacing credit and debit cards and reimbursing funds to customers who were allegedly victimized after a breach, which affected 8.1 million cards.

The plaintiffs argued that the company failed to adequately secure its customers’ personal identifying information on its data systems and that the breach could have been prevented if the retailer had heeded warnings about weaknesses in its data systems.

After the retailer filed a motion to dismiss, parties entered mediation and negotiated a settlement. Pursuant to the agreement, the retailer will establish a $5.2 million settlement fund to be distributed to class members as well as pay attorneys’ fees and expenses. The company also agreed to change several practices related to data security.

Among other things, the defendant will appoint and maintain an executive with responsibility for the company’s program(s) to protect the security of cardholder data; obtain an annual independent assessment of its compliance with the Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures; and develop and use reasonable steps to select and engage service providers that are capable of maintaining reasonable safeguards to protect cardholder data (including consideration of using two-factor authentication for all third-party vendors with access to such data).

The company will also develop and implement a program to educate and train appropriate members of its workforce on the importance of information security and the protection of cardholder data as well as undertake some enhanced security measures, including point-to-point encryption, a tokenization vault for retaining cardholder data and Europay, MasterCard and Visa chip card technology.

All eligible class members automatically received assessment payments of nearly $13.4 million. Further, two additional tiers of customers were entitled to file claims. Financial institutions were divided into two tiers, with the first consisting of banks that held Visa-branded cards that weren’t protected under a previous reimbursement agreement between the store and Visa. To date, 256 class members have submitted claims, resulting in a rather modest payout of $2.38 per card.

The second tier comprises the remaining class members, who will be reimbursed about $4.4 million for replacing cards or fraud, with an average recovery of approximately $26,000 per claimant. While the actual amount will vary, about 172 persons will receive this far more substantial award.

After granting preliminary approval of the deal in October, U.S. District Court Judge John Z. Lee gave his final sign-off in May—with a caveat. In a docket entry, the court said it intends to take another look at the final allocation plan for the settlement proceeds and will sign off on attorneys’ fees and costs of roughly $1.8 million as well as incentive fees ($10,000 for each of the five class representatives) after that review.

To read the memorandum in support of final approval of the settlement in Greater Chautauqua Federal Credit Union v. Kmart Corporation, click here.

To read the court’s docket entry of approval, pending review of the final allocation plan, click here.

Why it matters

While banks rarely serve as putative class representatives, this suit offers another great example of how class actions can result in large recoveries to the financial industry. While the deal is a fraction of the size of settlement agreements in other lawsuits filed by banks against retailers over data breaches—such as $25 million in the suit against Home Depot—the settlement demonstrates the potential for reimbursement to banks is particularly strong in the data breach arena.