After Target and Home Depot Breaches, Small Lenders Object to Settlements

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.wsj.com/articles/after-target-and-home-depot-breaches-small-lenders-object-to-settlements-1430175638

Small banks and credit unions are banding together in a bid to recover
hundreds of millions of dollars in losses incurred from high-profile data
breaches at Target Corp. and Home Depot Inc.

Angry at being squeezed out by bigger banks, the small institutions now are
trying to upend a long-standing industry practice in which card networks
Visa Inc. and MasterCard Inc. negotiate settlements with breached merchants
and then distribute the proceeds to affected financial institutions.

The smaller firms say the process favors the big banks, even though the
larger institutions can more easily absorb the cost of such incidents,
including issuing new cards.

The frustration reached a boiling point earlier this month, when the
lenders filed a motion objecting to terms of a settlement Target reached
with MasterCard that would see the retailer provide $19 million to card
issuers to cover breach-related losses.

On Monday, small banks and credit unions asked a federal judge to allow
them to pursue additional compensation, marking a high-profile legal
challenge to the traditional deal in which banks surrender the right to all
other reimbursement claims. The banks contend the Target settlement would
cover only a “minimal portion of the actual damages.”

Meanwhile, a similar court case filed by small card issuers against Home
Depot is drawing fresh support from two industry trade groups. Home Depot
hasn’t reached a settlement with Visa or MasterCard.

The small institutions are “looking to pursue any channel that makes them
whole,” saysDan Berger, president of the National Association of Federal
Credit Unions, a trade group.

A survey of 535 banks conducted last year by the American Bankers
Association found that nearly three-quarters of banks with assets below $1
billion didn’t receive any reimbursement for breaches between 2009 and
2014, while all banks with assets above $50 billion were reimbursed.

The brewing battle is the latest tussle between merchants and the card
industry, which have been clashing on everything from fees to card
security. It also highlights the far-reaching repercussions of data hacks,
as concerns about cybersecurity mount across all industries.

Cardholders aren’t responsible for unauthorized transactions, although they
are often inconvenienced by fraudulent transactions on their accounts and
the need to get replacement cards and new account numbers.

Instead, the financial institutions that issue the cards are on the hook to
absorb fraud losses and pay for the cost of new cards.

This is proportionally a bigger problem for small banks, as it can cost
them more than $10 to replace a card, whereas the nation’s biggest banks
can send out new cards for closer to $3 apiece due to the economies of
scale, according to the bankers association.

“When you have to absorb losses for something you had nothing to do with,
it’s tough,” said Scott Arney, chief executive of the Chicago Patrolmen’s
Federal Credit Union, which has 16,600 Visa-branded debit and credit cards
in circulation and had $80,000 in fraud losses during 2014. Mr. Arney said
he didn’t have details of which breaches accounted for the losses but noted
that the overall problem seems to be getting worse: The credit union has
seen $55,000 in fraud losses during the first quarter of this year.

In a previous breach, Mr. Arney said, the credit union incurred losses of
about $150,000 and received $1,000 in an industry settlement.

Trade groups representing community banks and credit unions estimate they
have spent more than $350 million to reissue credit cards and debit cards
and to deal with other issues related to the Target and Home Depot breaches.

The Target breach exposed 40 million credit- and debit-card accounts to
potential fraud during the 2013 holiday shopping season. The
Minneapolis-based retailer agreed in March to pay $10 million to settle a
consumer class-action suit tied to the breach, without acknowledging
wrongdoing.

Community banks and credit unions filed lawsuits against Target that were
eventually consolidated into one case that is now seeking class-action
status. Their efforts, however, were thrown into doubt earlier this month,
because the $19 million settlement that Target reached with MasterCard
calls for issuers who participate in the settlement to give up their legal
claim against Target.

Plaintiffs in the case include Umpqua Bank in Roseburg, Ore., which is a
unit of Umpqua Holdings Corp.; Mutual Bank in Whitman, Mass.; Village Bank
in St. Francis, Minn.; CSE Federal Credit Union in Lake Charles, La.; and
First Federal Savings of Lorain in Lorain, Ohio.

At a hearing Monday, U.S. District Judge Paul Magnuson didn’t rule on the
plaintiffs’ motion to allow issuers that participate in the settlement to
also pursue other ways to get reimbursed.

Previous breach settlements also have required financial institutions to
drop legal pursuits if they participate in a settlement, but the magnitude
and publicity of the Target incident has attracted more attention from card
issuers.

“We have made it very clear throughout the process that [participation] is
entirely an individual choice for issuers,” said Eileen Simon, chief
franchise integrity officer at MasterCard.

A Target spokeswoman declined to comment, citing pending litigation. The
retailer defended its pact with MasterCard in a motion filed Friday in the
Minnesota court case, saying “there is nothing even remotely unlawful”
about it.

Visa, meanwhile, hasn’t struck a deal with Target, but the company said it
“continues to analyze all relevant information to ensure we reach a
resolution that is accurate and fair to all Visa clients and participants
in the payments system.”

Small card issuers are gearing up for a similar fight over last year’s Home
Depot breach, which exposed 56 million cards to fraud after a five-month
attack on its payment terminals. A host of issuer lawsuits against the
home-repair chain have been consolidated in federal court in Atlanta.

“Recovery amounts for credit unions and community banks are insufficient as
compared with the losses,” says Diana Dykstra, president and CEO of the
California Credit Union League, which is a trade group for 365 credit
unions that are based in the state. Ms. Dykstra’s group and another trade
group, Credit Union National Association, earlier this month joined the
Home Depot lawsuit.

A spokesman for Home Depot declined to comment on the lawsuits.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!