Will Banks Reject Home Depot Breach Settlement?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bankinfosecurity.com/will-banks-reject-home-depot-breach-settlement-a-8729

Reports of a possible settlement between MasterCard and Home Depot to
compensate card issuers affected by the home-repair retailer's 2014 data
breach have created confusion and frustration for some banks and credit
unions, say attorneys representing institutions in a class action lawsuit
against the retailer.

Plaintiffs' attorneys say that letters sent to banks and credit unions
about the settlement were misleading, in that they suggested that in order
to receive payment from the settlement, banking institutions would have to
forfeit their rights to seek additional compensation through a class-action
suit.

In reality, however, plaintiffs' attorneys say banks and credit unions are
under no obligation to forfeit their rights to pursue additional payment,
even if they do accept payment from the proposed settlement, for which
financial terms have not been disclosed.

On Nov. 30, those attorneys filed a motion to have the court force Home
Depot to immediately disclose details of the settlement.

"Until Home Depot discloses all the facts relating to its agreement with
MasterCard, financial institutions should reject any settlement that does
not offer significant reimbursement for their losses beyond what they are
already entitled to receive under MasterCard's rules without releasing
their legal claims," the attorneys say in a statement about the settlement
proposal.

The attorneys also allege that Home Depot has concealed critical terms of
its agreement with MasterCard, "which was negotiated in secret without the
involvement of the court or court-appointed plaintiffs' counsel."
Additionally, they say that banking institutions have been given less than
a week to make a decision about whether to accept the settlement.

A spokesman for MasterCard told Information Security Media Group: "We, like
other payment networks, have been in negotiations with The Home Depot to
settle claims related to its 2014 data breach. As part of those
negotiations, we have presented offers to several issuing customers
significantly impacted by the breach. Those offers provide an option to
resolve the matter with a defined financial reimbursement. But, the
decision is theirs; they maintain the right to choose to continue to pursue
other options."

Home Depot on 'Tentative Settlement'

Stephen Holmes, a spokesman for Home Depot, says Home Depot has not
contacted any banking institutions about a settlement with MasterCard.

"There is a tentative settlement in place with MasterCard, but I can't
discuss the details of the settlement," Holmes tells ISMG. "What I can tell
you is that we did not send any communications, nor were we aware of any
communications being sent."

Holmes says similar negotiations also are underway with other card
networks, including Visa.

A Visa spokeswoman tells ISMG: "We continue to work with Home Depot and its
acquirers regarding potential GCAR [Global Compromised Account Recovery]
liability. We do not have updates to share at this time, but will do so as
details can be confirmed."

Processors Contacted Banks and Credit Unions

Three payments and core processors - FIS, Fiserv and Vantiv - sent letters
to banks and credit unions about MasterCard's proposed settlement with Home
Depot, according to the Atlanta Business Chronicle. Each letter specifies
response deadlines from Dec. 2 through Dec. 7. They note that any issuer
that accepts the terms of the "alternative recovery offer," part of
MasterCard's account data compromise program, forfeits its rights to pursue
further compensation through the class action suit.

Here's an excerpt from the letter from Vantiv: "The funds designated for
the Alternative Recovery Program are to settle claims for operational costs
and fraud-related losses on MasterCard-branded cards believed by MasterCard
to have been impacted by the Home Depot data breach. Each participating
issuer will be compensated for the amount due to such issuer as calculated
under MasterCard's ADC [Account Data Compromise] standards. If you wish to
participate in the Alternative Recovery Program, please fill out and submit
the form here by December 2, 2015. By participating in the Alternative
Recovery Program, you will release MasterCard, Home Depot USA Inc. and its
acquiring banks and processors from all claims related to the Home Depot
data breach."

In its letter, FIS notes that the settlement will only become effective if
65 percent of all qualified issuers accept the settlement.

Attorneys for the plaintiffs in the class action suit against Home Depot
argue that recovery paid out through the Account Data Compromise program to
banks and credit unions impacted by a retail breach should be paid
regardless of whether a class action suit seeking additional compensation
is filed.

"The settlement uses MasterCard's Account Data Compromise (ADC) program to
offer financial institutions partial recovery amounts for their losses
sustained during the data breach," co-lead counsel attorneys note in their
statement. "However, these settlements do not disclose to financial
institutions that they are not required to sign a release in order to
participate in MasterCard's ADC program, and should be able to retain their
right to pursue legal claims against Home Depot."

Attorneys argue that the letters sent to banks and credit unions about the
proposed settlement are "vague, contradictory and seem designed to confuse
putative class members."

Lacking Transparency?

Shirley Inscoe, a financial fraud expert and analyst at consultancy Aite,
says the lack of transparency about this proposed settlement "smacks of
intimidation techniques and less-than-stellar ethics."

While it's standard for processors to send these types of communications to
their bank and credit unions customers, she says the letters don't clarify
many details for their customers. "I am surprised at the lack of quality
communication," she says. "In a sense, they are literally just the
go-between from the settlement reached by Home Depot and MasterCard; but
this seems to be very poor customer service. While the processors do not
really have a role here, except from a communications perspective, this
paints them in a poor light."

Additionally, Inscoe says it's not clear why institutions would be asked,
as part of the terms of the Account Data Compromise program, to waive their
rights to possible compensation offered through a class-action suit. That's
because settlements that fall under the card brands' breach-recovery
programs, such as MasterCard's Account Data Compromise program, are
standard routine and do not require institutions to waive their rights to
additional compensation, she says.

"This appears to be the typical settlement between Home Depot and
MasterCard, while trying to infer that any bank that bucks the settlement
loses their right to litigate for greater compensation," Inscoe says. "I
haven't seen this done in any previous data breach case."

Different from Target

Looking at the recent class-action settlement reached between issuers and
Target over fraud and expenses associated with Target's 2013 breach,
Inscoe's points are validated.

The class-action settlement recently reached between Target Corp. and
issuers, if approved by the court, will offer compensation to banks and
credit unions impacted by Target's 2013 that goes above and beyond what has
already been paid out by card brands through their breach-recovery
programs, such as Visa's Global Compromised Account Recovery program and
MasterCard's Account Data Compromise program.

"The recently announced settlement in the litigation over Target's 2013
data breach proves that financial institutions do not need to accept the
first offer they receive directly from the card brands," the attorneys for
the banks suing Home Depot say in their statement. "By rejecting
MasterCard's initial offer, financial institutions ultimately obtained
significantly greater compensation in court. The Target settlement sets an
important precedent by showing that financial institutions can achieve
greater compensation for their losses through the legal system."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!