Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Banks Try to Block Target SettlementClaim $19 Million MasterCard Deal Doesn't Cover Their Costs
A group of financial institutions affected by the 2013 Target data breach that exposed at least 40 million payment cards is asking a court for a preliminary injunction to block the proposed settlement between the retailer and MasterCard that would provide $19 million to card issuers.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
In documents filed on April 21 in the Minnesota U.S. District Court, the banks allege that "the total losses actually suffered by card-issuing financial institutions are astronomically higher than the $19 million offered under the proposed settlement." The court papers redact figures representing the banks' estimated costs related to mitigating the Target incident.
In a joint statement, attorneys representing the banks, Charles Zimmerman of the law firm Zimmerman Reed and Karl Cambronne of the law firm Chestnut Cambronne, note: "The agreement between Target and MasterCard is nothing more than an attempt by Target to avoid fully reimbursing financial institutions for losses they suffered due to one of the largest data breaches in U.S. history. It provides paltry restitution for the substantial losses suffered and seeks to extinguish existing legal claims that are wholly outside the scope of Target's liability to MasterCard."
The attorneys add: "This sweetheart deal for Target was negotiated without involvement of the court or the legal representatives of the impacted financial institutions. For these reasons, financial institutions should not agree to this so-called 'settlement,' and we hope the court will grant the preliminary injunction we have requested."
A class action lawsuit filed by financial institutions against Target seeking reimbursement for breach-related expenses is still pending (see:Target Settlement: What About the Banks?).
Besides asking the court to stop the proposed settlement, the banks are also asking the court to stop or limit "misleading and coercive communications" from Target and MasterCard about the proposed deal. The court papers filed this week by the attorneys representing the banks allege, among a list of other things, that Target, acting in concert with MasterCard, misrepresented details of the settlement offer.
A hearing to consider a preliminary injunction will be held on April 27 in Florida middle district U.S. district court by judge Paul Magnuson, who is assigned to handle the case in the U.S. district in St. Paul, Minnesota, but who is temporarily in Florida to help relieve a court backlog there, sources close to the case tell Information Security Media Group.
The court action was filed on behalf of five financial institutions: Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain, "individually and on behalf of a class of all similarly situated financial institutions in the United States."
In announcing the proposed settlement with MasterCard, Target said it agreed to provide a total of up to $19 million in payments to card issuers. "The settlement is conditioned on issuers of at least 90 percent of the eligible MasterCard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers, by May 20, 2015," the retailer said.
Target also is in negotiations with Visa for a breach-related settlement. "Visa takes very seriously our responsibility to work closely with its acquiring clients and Target to resolve this event," Visa spokesman Jake Standish says.
Al Pascual, who leads the security, risk and fraud practice at research firm Javelin Strategy & Research, says that based on information that's been discussed by many banks related to the cost of reissuing cards impacted by the Target breach, the total costs likely exceed the $19 million settlement amount agreed upon by Target and MasterCard. However, he notes, "This [settlement] has gotten the ball rolling; it needs more teeth and needs to be refined, but it's a start. Initially the courts didn't know how to handle cybercrime cases, and now you see people [who are convicted] getting 10 or 20 years. The courts will get a better handle on [breach] cases as well, and I suspect we'll see more accountability" by organizations that experience the breaches.
An information security legal expert, who asked to remain anonymous, says: "Motions opposing or seeking modification of proposed settlements are not uncommon. It's way too early to make any judgments about the short- or long-term impact on the current or future litigation. The best that can be said is that the settlement, or at least a part of it, has been challenged."
Target declined to comment on the banks' request to the court. MasterCard did not immediately respond to a request for comment.