Small banks push for fair share of breach settlements

A group of community banks and credit unions filed a motion on April 27, 2015, to address what its members believe are inequities in Target Corp.'s $19 million data breach settlement with MasterCard Worldwide, which Target disclosed on April 15. The group is appealing the court's decision calling for issuers participating in the settlement to release all legal claims against Target. The claimants assert that proceeds from the settlement inadequately compensate them for card reissuance and other breach-related costs.

Settlement terms stipulate that MasterCard will offer recovery terms to issuers of MasterCard-branded payment cards compromised by the Target breach. Target said all eligible issuers will be notified of their individual settlement offers and asked to respond by May 20. The company agreed to fund $19 million in recovery payments if MasterCard secures a 90 percent approval from its eligible card issuers by the deadline.

Eileen Simon, Chief Franchise Integrity Officer at MasterCard, said that while MasterCard will recommend that its issuers accept the offers, the company will not attempt to influence outcomes or decisions. "We have made it very clear throughout the process that [participation] is entirely an individual choice for issuers," she said. Payment analysts anticipate that Target and Visa Inc. will reach a separate settlement agreement soon. A Visa statement to the media indicated the company is analyzing relevant information "to ensure we reach a resolution that is accurate and fair to all Visa clients and participants in the payments system."

Major breaches, multiple ramifications

In addition, numerous claims brought against Minneapolis-based Target since the data breach was first reported were consolidated into a single appeal seeking class action status. Plaintiffs include Mutual Bank in Whitman, Mass.; Village Bank in St. Francis, Minn.; CSE Federal Credit Union in Lake Charles, La.; First Federal Savings of Lorain in Lorain, Ohio; and Umpqua Bank in Roseburg, Ore., a subsidiary of Umpqua Holdings Corp. While Minneapolis U.S. District Judge Paul Magnuson has not yet ruled on that case, similar settlement rulings have required claimants to sign a release to be compensated for damages.

In a similar action filed in an Atlanta federal court, small card issuers are seeking relief for expenses related to The Home Depot Inc.'s 2014 data security breach. When card issuers were notified of the data breach in September 2014, which involved approximately 56 million cardholder accounts, JPMorgan Chase Bank and Capital One Financial Corp. swiftly replaced the cards of all potentially affected customers. Smaller financial institutions lacked the economies of scale to react as quickly or extensively to the epic data breach.

Small issuers' higher breach-related costs

Many smaller institutions lack the infrastructure and economies of scale to reissue millions of cards and otherwise absorb the costs of wide-scale attacks. Additionally, many smaller banks with assets below $1 billion were not even compensated for breach-related costs, according to a 2014 survey by the American Bankers Association. The Association also noted that the average cost of replacing a credit card is $10 for a small bank, compared with $3 for a large bank.

First Choice Federal Credit Union, based in New Castle, Pa., joined New Orleans-based First NBC Bank and other small institutions in September 2014 to file complaints against Home Depot, seeking restitution for costs of cancelling and reissuing customer debit cards. NBC Bank stated that Home Depot failed to implement and maintain the Payment Card Industry Data Security Standard, which left numerous financial institutions on the hook for tens, if not hundreds, of millions of dollars as a result of Home Depot's Security Breach."

Payment analysts estimate community banks and credit unions have spent about $350 million on Target and Home Depot security breach-related issues. Diana Dykstra, President and Chief Executive Officer of the California Credit Union League, stated that in most data breach cases "recovery amounts for credit unions and community banks are insufficient as compared with the losses." The League and the Credit Union National Association are participating in the Home Depot lawsuit.

Editorial Note:

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.