Enter to open, tab to navigate, enter to select
Target Settles 2013 Data Breach Claims; Agrees to Pay MasterCard-issuing Banks $19 Million
Practical Law Legal Update 6-609-5895 (Approx. 3 pages)
Target Settles 2013 Data Breach Claims; Agrees to Pay MasterCard-issuing Banks $19 Million
by Practical Law Finance
| Published on 22 Apr 2015 • USA (National/Federal) |
On April 15, 2015, Target announced that it reached a settlement with MasterCard regarding a data breach that Target experienced during the fourth quarter of 2013.
Target Corporation (Target) has announced that it has reached a settlement agreement to reimburse MasterCard International Incorporated (MasterCard) for losses caused by a data breach that Target experienced during the fourth quarter of 2013.
In December 2013, Target confirmed in a press release that it was aware of unauthorized access to payment card data that impacted approximately 40 million customers making credit and debit purchases in its US stores between late November and mid-December 2013. This data breach likely resulted in the theft of personal information, such as the email addresses and telephone numbers of consumers. For a discussion of the regulations governing the privacy of sensitive consumer information, see Practice Note, GLBA: The Financial Privacy and Safeguards Rules. For guidance in complying with these regulations, see Financial Privacy Rules Compliance Checklist.
Under the settlement, Target agrees to fund up to $19 million pre-tax in alternative recovery payments to eligible banks and credit unions. The final figure will depend on the extent to which eligible issuers accept the alternative recovery offers. These funds are intended to reimburse card issuers for the following:
- Operational costs, including costs related to reissuance of credit and debit cards following the breach.
- Fraud-related losses on MasterCard-branded cards, which MasterCard believes resulted from the data breach. For example, following a data breach, fraudsters often use emails, texts, phone calls or fake websites to attempt to steal a consumer's personal financial information.
Given that Target's February 2015 Form 8-K filing reported more than $252 million in breach-related expenses for the 2013-2014 period, some financial institutions have criticized the $19 million settlement deal as an attempt by Target to avoid appropriately reimbursing financial institutions for their losses.
The settlement also requires MasterCard to:
- Make alternative recovery offers to eligible MasterCard issuers worldwide, namely those that issued MasterCard-branded payment cards that may have been affected by the data breach.
- Recommend that those eligible issuers accept the alternative recovery offers.
As a condition of the settlement, at least 90% of eligible MasterCard account issuers must accept their alternative recovery offers (either directly or through their sponsoring issuers) by May 20, 2015. Upon acceptance, the issuer must release MasterCard, Target and its acquiring banks for any claims that it may have regarding the data breach. If the issuer satisfies these conditions, it will receive its alternative recovery payment by the end of the second quarter of 2015.
According to a press release on MasterCard's website, issuers that choose not to accept the offer will have their claims determined by MasterCard's internal processes. They may receive more or less than the amounts offered in this settlement depending on various factors, including:
- MasterCard's final determination of their claims.
- The outcome of any litigation that Target may file to challenge claim awards to issuers outside of the settlement.
As a result of the settlement, Target is reworking its digital information security processes to ensure data security. In particular, Target will need to ensure that the financial information of consumers shopping via the mobile retail app will not be at risk. For a discussion of the regulations governing mobile apps and other emerging payment systems, see Practice Note, Consumer Regulations Governing Emerging Payment Systems.