The massive data breach during the 2013 holiday season at Target was the first of a series of data breaches that continue unabated to this day with little end in sight. While millions of Target customers were inconvenienced by the theft of their credit card or debit card information, banks that issued those cards and had to replace the stolen cards suffered financial losses involved with replacing the stolen cards as high as 400 million dollars. Five of these banks, Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings filed a class action in federal court on behalf of themselves and other affected banks seeking payment from Target for the losses they incurred as a result of the data breach. I have been reporting to you over the last couple of years as to the progress of this lawsuit. Yesterday, a preliminary settlement was approved by the court. Under the terms of the settlement, Target will pay up to 20.25 million dollars to the affected banks and credit unions as well as pay 19.11 million dollars to reimburse issuers of MasterCards. An earlier settlement reached with MasterCard issuers in April of 2015 was rejected by the members of the class as being too low. Target has already settled with issuers of Visa credit cards, agreeing to pay 67 million dollars. As for individual customers whose credit and debit card information was stolen, Target settled a class action brought on their behalf for 10 million dollars. However, Target’s troubles are not entirely over. It still is being investigated by the Federal Trade Commission and a number of state attorneys general regarding the data breach as well as also being sued by its own stockholders.
This is a significant settlement. In the past, retailers were not held responsible for the occasional data breach occurring in the processing of credit and debit card transactions, but this has changed as data breaches have moved from being an occasional event to a major and costly occurrence. This settlement may well serve as the impetus for a major change in how retailers conduct business in general and in particular what security steps they will need to take in order to avoid financial responsibility for future data breaches. Coupled with regulations shifting responsibility for data breaches to retailers who fail to switch to new smart credit cards with computer chips, this settlement may signal a new paradigm for company electronic security. As for consumers, the best course of action continues to be to use your chip credit card, if you have one and refrain from using your debit card for retail purchases because the laws regarding liability for fraudulent charges are more advantageous to consumers when using credit cards rather than debit cards.