Difficult to Determine If Target Settlement 'Fair'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/difficult-to-determine-if-target-settlement-fair-p-1995

Determining the "fairness" of Target's proposed $39 million settlement with
financial institutions affected by the retailer's 2013 breach is impossible
until we find out the answers to many questions, including how many banks
and credit unions qualify (see Target Reaches Settlement with Banks).

Two years ago, a group of banks filed a a class action lawsuit against
Target in hopes of recouping breach-related expenses above and beyond what
the card networks provide through their recovery and data compromise
programs.

In a statement provided to Information Security Media Group shortly after a
district judge in Minnesota granted preliminary approval of the proposed
settlement, Randy Diers, president of Village Bank, one of the banks
involved in the suit, said: "While we wish the Target data breach had never
occurred, we felt obligated to represent the class of financial
institutions throughout the United States. This settlement represents the
best possible outcome for financial institutions, as it provides immediate
and fair compensation and will hopefully help prevent the occurrence of
similar data breaches in the future."

While I'm happy to see that a settlement has finally been reached, it's not
yet clear whether it's truly "fair."

That's because we don't know how many banks and credit unions accepted
previous settlements from the card brands, which makes them ineligible for
benefitting from the lawsuit settlement. We also don't know how much card
issuers affected by the breach were compensated by the card brands as part
of their recovery and data compromise programs.

Ultimately, the court will decide the "fairness" of this settlement when it
issues a final ruling on May 10, 2016. But in granting preliminary approval
on Dec. 2, a judge called the suit "fair, reasonable and adequate."

Payout Details, So Far

The proposed Target settlement with the banks would apply to all U.S.
banking institutions impacted by Target's breach that did not waive their
right to participate in the lawsuit by participating in the $67 million
settlement negotiated by Visa or the $19 million MasterCard settlement.

In May, card issuers rejected Target's initial settlement with MasterCard.
But Seth Eisen, a spokesman for the card brand, told me that MasterCard
actually reached a second settlement with Target in August for the same
amount, though the details were never made public, and no statement about
the settlement was ever posted.

The Mystery of Rules of Recovery

The methods the card networks use to determine post-breach settlement
offers are not easy to comprehend. They use complex and somewhat mysterious
algorithms to determine how much is paid to issuers as part of their
recovery and data compromise programs.

Merchants say these expenses are covered by interchange fees they pay to
Visa and MasterCard. But no one knows what percentage of those interchange
fees is being put toward reimbursements for issuers, or how the card
networks determine the payouts.

Retailers argue that because the interchange fees they pay to Visa and
MasterCard are designed to cover breach-recovery expenses, they shouldn't
be asked to reimburse banks for additional breach-related expenses, as
Target is doing as a result of its lawsuit settlement.

But bankers argue that the "pennies on the dollar" they receive from the
card networks in the wake of a breach don't come anywhere close to covering
overall costs associated with reissuing cards and refunding customers for
fraudulent account activity that hits after cards are compromised. And
because retail breaches have become so common, the losses banks and credit
unions once absorbed have become unbearable to manage, they contend.

We'll never know if the bankers' argument has merit unless the card
networks' operator rules and policies are revealed. It's baffling how
publicly traded companies such as Visa and MasterCard can remain so cryptic
about their reimbursement fee structures and funding - and it's a sore
point for bankers and retailers alike.

In an interview shortly after the Target breach, Viveca Ware, executive
vice president of regulatory policy for the Independent Community Bankers
of America, explained how the card networks maintain an upper-hand that's
impossible for issuers and retailers to challenge. "Visa and MasterCard do
have programs that enable issuers to recoup a portion of losses and
operational expenses related to mag-stripe counterfeit fraud losses," she
says. "But this restitution is only available when the networks declare
that a particular breach is eligible for the program."

Determining 'Fairness'

Avivah Litan, a financial fraud expert and analyst at the consultancy
Gartner, contends that Visa and MasterCard have an unfair advantage, and
virtual control, over the U.S. retail payments market.

"This is a fair market issue that the U.S. Department of Justice has not
adequately addressed, in my opinion," she says. "So, given this situation,
the retailers have been put in an unfair position."

Shirley Inscoe, a financial fraud expert and analyst at the consultancy
Aite, says determining the "fairness" of the proposed Target settlement is
impossible.

"This proposed settlement is difficult to comment on without a lot more
information," she says. "For example, it is unclear which - or how many -
financial institutions are eligible to make claims against the $39 million.
Compared to the number of consumers impacted by this breach, the amount is
a pittance. Similarly, the amounts of previous settlements with Visa and
MasterCard were so paltry, they were laughable."

Inscoe contends there has never been a post-breach settlement offered
through either network that has come close to compensating banks and credit
unions for all of the breach-related expenses and fraud losses they have
had to cover. "Sadly, the only parties profiting under the current process
are the criminals and the attorneys," she says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!