Talk about a “bank holiday” – under a settlement deal filed in court yesterday, Target will pay $39.4 million to a litigation class of banks and credit unions to settle financial institution claims related to the retailers’ massive 2013 data breach, which compromised at least 40 million credit cards. The preliminary settlement is the first time a retailer has agreed to directly absorb financial institutions’ costs from a data breach, such as fraud losses and the expense of issuing new debit and credit cards.
Under the terms of this settlement, Target will pay up to $20.25 million directly to the settlement class and $19.1 million to fund MasterCard’s Account Data Compromise Program relating to the breach. The settlement will apply to all U.S. financial institutions that issued payment cards identified as having been at risk from the breach and that did not previously release their claims against Target by signing on to separate deals. A final approval hearing on the settlement is set for next year.
Previously, Target inked a $67-million agreement with Visa in August and settled a federal class action lawsuit brought by customers for $10 million in March. Target had reached a proposed $19-million deal with MasterCard last spring, but it was rejected by card issuers as too low. In addition, Target’s earnings reports through fiscal year 2014 reported breach-related expenditures of $290 million, net of cyber insurer reimbursement of $90 million. Target still faces pending shareholder lawsuits and ongoing probes by federal and state regulators.
Target’s settlements with banks may make it more likely that financial institutions will take legal action against retailers for compensation after a data breach, particularly smaller banks that feel the burden of data breaches more acutely. Target’s situation was somewhat unique because Minnesota, where Target is headquartered, has the Plastic Card Security Act, which requires breached merchants “doing business” in Minnesota to reimburse card-issuing institutions for expenses and losses suffered as a result of a breach covered under the statute’s provisions. It remains to be seen how expansive courts will be in applying the statute’s “doing business” requirement in future breach litigation.