Target Corporation recently announced that it entered into a settlement agreement with MasterCard International Incorporated, agreeing to pay up to $19 million to MasterCard for payments to reimburse issuing banks for card-replacement and fraud losses allegedly associated with the 2013 data breach at Target. The deal is contingent on issuing banks representing 90 percent of the eligible MasterCard accounts accepting the settlement offer by May 20th and agreeing not to pursue any claims they may have against Target or its acquiring banks for the breach. If successful, this settlement may provide a road map for merchants hoping to protect themselves against litigation by issuing banks following a payment card breach.
During the holiday shopping season of 2013, Target suffered a cyber-attack in which malware installed on the company’s network exposed the credit and debit card information of 40 million customers and the personal information of 70 million more. The breach resulted in a flood of litigation by various parties, including a class action filed by issuing banks (the financial institutions that issue payment cards and maintain cardholder accounts). The issuing banks sued to recover costs they allegedly incurred as a result of the breach, including the costs to replace compromised cards and costs to reimburse cardholders for fraudulent charges.
Following a breach of payment card information like the one Target suffered, the card brands can issue assessments against the victim merchant’s acquiring bank (the financial institution that a merchant contracts with to gain access to the payment card networks, which allows the merchant to accept payment cards). The card brands use the funds they recover from the assessments to reimburse issuing banks for the costs to replace or monitor compromised cards and for amounts spent reimbursing customers for fraudulent charges. Because merchants often expressly agree to indemnify acquiring banks for these assessments, Target most likely would have been responsible for any assessments issued by MasterCard in connection with the 2013 breach. Considering the size of that breach, the assessments would likely have been very costly.
Sometimes, however, issuing banks seek recovery outside of the assessment process by bringing class action lawsuits against the merchant that suffered the data breach. In this case, a number of issuing banks brought class action suits against Target alleging, among other things, negligence and violations of the Minnesota Plastic Card Security Act. Target is seeking to resolve those suits through this settlement offer, under which Target has offered to pay $19 million to MasterCard to fund “alternative recovery payments” to participating issuing banks, if issuing banks representing at least 90 percent of eligible MasterCard accounts accept the deal. In return, the issuing banks must release their claims against Target and its acquiring banks related to the data breach.
This type of settlement has been reached before. For instance, TJX, the parent company of retailers T.J. Maxx, Marshalls, and HomeGoods, agreed to pay MasterCard $24 million as part of a negotiated settlement following a 2006 breach in which the information from more than 45 million customer credit and debit cards was compromised. The TJX deal was also contingent on issuers representing 90 percent of card accounts releasing their claims. Similarly, Heartland Payment Systems, a card processing company, entered into a settlement with MasterCard for $41.4 million, contingent on issuers representing at least 80 percent of eligible MasterCard accounts accepting the deal. The Heartland breach involved over 100 million compromised payment cards.
However, the named plaintiffs in the putative class action brought by the issuing banks against Target are challenging this settlement, and have sought a preliminary injunction to prevent the settlement from taking effect. They argue that the settlement offer improperly strips the MDL court of jurisdiction and violates protections for class members under Federal Rule of Civil Procedure 23, and that it was communicated to the issuing banks in a misleading way. Target disputes these allegations and opposes the injunctive relief. The court has yet to rule.
If the settlement process is allowed to proceed, issuing banks might be persuaded to take Target’s settlement offer, which would be paid out in the second quarter of 2015, in order to receive payment now and avoid prolonged litigation with an uncertain payout in the future. If prior settlements are any indication, most issuing banks will accept the deal. Ultimately, for example, issuers representing more than 99% of eligible accounts accepted the TJX and Heartland settlement offers.
However, some issuing banks may still envision greater recovery on their claims through the litigation process. Target’s settlement offer has been described as “pennies on the dollar,” and stands in stark contrast to the banks’ potential recovery under the Minnesota Plastic Card Security Act, which applies to Target as a Minnesota company and explicitly allows financial institutions to recover all reasonable costs associated with a payment card data breach from the breached entity. Issuing banks that do not sign off on the deal will still be able to pursue their claims in court, even if the 90 percent threshold is met. Target has stated that it plans to vigorously defend against any claims brought by issuing banks.