The Green Sheet Online Edition
May 25, 2015 • Issue 15:05:02
Small banks push for fair share of breach settlements
A group of community banks and credit unions filed a motion on April 27, 2015, to address what its members believe are inequities in Target Corp.'s $19 million data breach settlement with MasterCard Worldwide, which Target disclosed on April 15. The group appealed the court's decision calling for participating issuers to release all legal claims against Target. The claimants asserted that proceeds from the settlement would inadequately compensate them for card reissuance and other breach-related costs.
Settlement terms stipulate that MasterCard will offer recovery terms to issuers of MasterCard-branded payment cards compromised by the Target breach. Target said all eligible issuers will be notified of their settlement offers and asked to respond by May 20. The company agreed to fund $19 million in recovery payments if MasterCard secures approval from banks that issued 90 percent of compromised cards by the deadline.
Eileen Simon, Chief Franchise Integrity Officer at MasterCard, said that while MasterCard will recommend that its issuers accept the offers, it won’t attempt to influence decisions. "We have made it very clear throughout the process that [participation] is entirely an individual choice for issuers," she said.
Payment analysts anticipate Target and Visa Inc. will reach a separate settlement agreement soon.
Major breaches, multiple ramifications
In addition, numerous claims brought against Minneapolis-based Target since the data breach was reported were consolidated into a single appeal seeking class action status. Plaintiffs include Mutual Bank in Whitman, Mass.; Village Bank in St. Francis, Minn.; CSE Federal Credit Union in Lake Charles, La.; First Federal Savings of Lorain in Lorain, Ohio; and Umpqua Bank in Roseburg, Ore., a subsidiary of Umpqua Holdings Corp.
In a similar action filed in an Atlanta federal court, small card issuers are seeking relief for expenses related to The Home Depot Inc.'s 2014 data security breach. When card issuers were notified of the breach in September 2014, which involved approximately 56 million cardholder accounts, JPMorgan Chase & Co. and Capital One Financial Corp. swiftly replaced the cards of all potentially affected customers. Smaller financial institutions lacked the economies of scale to react as quickly or extensively to the breach.
Small issuers' higher breach-related costs
Many smaller institutions lack the infrastructure to reissue millions of cards and otherwise absorb the costs of wide-scale attacks. Additionally, many smaller banks with assets below $1 billion were not even compensated for breach-related costs, according to a 2014 survey by the American Bankers Association, which also noted that the average cost of replacing a credit card is $10 for a small bank, compared with $3 for a large bank.
First Choice Federal Credit Union, based in New Castle, Pa., joined New Orleans-based First NBC Bank and other small institutions in September 2014 to file complaints against Home Depot, seeking restitution for costs of cancelling and reissuing customer debit cards.
Payment analysts estimate community banks and credit unions have spent about $350 million on Target and Home Depot security breach-related issues. Diana Dykstra, President and Chief Executive Officer of the California Credit Union League, stated that in most data breach cases "recovery amounts for credit unions and community banks are insufficient as compared with the losses." The League and the Credit Union National Association are participating in the Home Depot lawsuit.
Update: On May 7, U.S. District Judge Paul Magnuson rejected the plaintiffs' bid to block the proposed settlement between Target and MasterCard. He wrote in his ruling that the deal doesn't appear "altogether fair and reasonable" but said he couldn't intervene without evidence that MasterCard or Target had made coercive or misleading statements. He also said, "Although the settlement may not pass the 'smell test,' as the saying goes, it is not serious misconduct."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.