Last week, Target announced a $19 million settlement with MasterCard, a “Financial Institution Plaintiff,” as a result of the 2013 data breach at its stores.
The terms of the settlement agreement are rather complex and call for Target funding “alternative recovery offers” made by MasterCard to companies that issue MasterCards. Target’s press release further indicates that “[t]he settlement is conditioned on issuers of at least 90% of the eligible MasterCard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers, by May 20, 2015.”
Plaintiffs’ lead counsel has made statements objecting to the MasterCard settlement and stated the settlement amount “appears to only cover a ‘minimal portion’ of the actual damages suffered by financial institutions…”. He is urging the financial institutions not to sign onto the MasterCard settlement.
Even if the settlement goes through with MasterCard, Target will have to negotiate separate agreements with financial institutions that issued Visa or Discover cards. With so many moving parts in the Target data breach case, we can see how difficult it is to assess the risk related to a data breach.
Based on the Target litigation, the risk analysis by policyholders or insurers for a data breach cannot be limited to the potential for damages to consumers involved. Rather, the major hurdles in this case appear to be related to the damages sought by various financial institutions. Consequently, any risk analysis must include the potential damages suffered by credit card issuers. As illustrated by the Target litigation, these damages can be substantial. Lastly, any difficulty in assessing the risk prior to a breach is understandable when there is this much trouble assessing damages after a breach.
Last month, Target settled the portion of the class action lawsuit with the “Consumer Plaintiffs.” See related posts: