$19 million Target, MasterCard breach settlement crumbles

Settlement was contingent on 90% of MasterCard issuers approving the deal
Written by John Fontana, Contributor

A proposed $19 million settlement reached last month between Target Corp. and MasterCard over a 2013 security breach fell apart after not enough banks who had sued the retailer agreed to be part of the deal they said fell short of actual damages, according to MasterCard.

The settlement, announced last month, needed agreement by May 20 from 90% of MasterCard issuing banks and credit unions. Those numbers were not met, MasterCard reported. The $19 million was for reimbursement for fraudulent charges and the cost that card issuers suffered in re-issuing cards that had been compromised.

Lawyers for the banks tried last month to kill the settlement but a judge tossed their case. MasterCard was not a party to the original lawsuit, but was representing its member banks. The banks argued that the settlement represented only a fraction of their losses, which they estimated at more than $160 million.

The failure to meet the 90% agreement threshold basically gives the banks what they didn't get in court and it now appears settlement talks will resume. MasterCard did not reveal how close the vote came to the 90% majority.

"At this stage, we will continue to work to resolve the matter," the company said in a statement.

The lead attorneys for the card issuers, Charles Zimmerman and Karl Cambronne, said in a statement they will continue to push for "proper compensation." In addition, the National Association of Federal Credit Unions issued a statement calling for full compensation for its affected members.

In December, Target failed to get the class action suit thrown out by a U.S. District Court in which the banks and credit union card issuers sued Target after it reported in Dec. 2013 that hackers stole 40 million credit card records.

Costs related to the breach have already piled up for Target. The company reported to the SEC in February that it has sustained $252 million in gross breach-related expenses since Dec. 2013.

Despite those costs, the company does not list on-going expenses related to the breach as its greatest risk. In its 10-K filing in March last year the company said, "we believe that the greatest risk to our business arising out of the Data Breach is the negative impact on our reputation and loss of confidence of our guests, as well as the possibility of decreased participation in our REDcards Rewards loyalty program which our internal analysis has indicated drives meaningful incremental sales."

The breach does not appear to have slowed the company's business. In fact, for fiscal 2014, Target's full-year comparable sales grew 1.3 percent and digital channels were up more than 30 percent. Target also paid dividends of $1.2 billion in fiscal 2014, an increase of 19.8 percent above 2013.

In the long run, this slug fest between giants in retail and financial services may well build a legal framework that defines digital commerce going forward. How the case plays out may well have a lasting impact on how all businesses define and document digital security, how they are contractually connected to partners, and how they deflect or mitigate liability.

Editorial standards