Target agrees to pay 'up to $19 million' in settlement over data breach costs

MasterCard chief franchise integrity officer Eileen Simon said the settlement represents "a reasonable resolution of the Target data breach event" for banks that issue MasterCard-branded payment cards. 

"Under the agreement, Target will make available up to $19 million in alternative recovery offers to eligible banks and credit unions across the globe," MasterCard said in a statement. "These funds will settle their claims for operational costs and fraud-related losses on MasterCard-branded cards believed by MasterCard to have been affected by the data breach. Upon accepting the offer, each issuer will release MasterCard, Target and its acquiring banks from all claims related to the data breach." 

For the settlement to be finalised, MasterCard issuers "representing at least 90% of the eligible MasterCard accounts" have to accept their "alternative recovery offers" by 20 May this year. Banks can challenge the specific amount that MasterCard will distribute to them under the settlement agreement, MasterCard said. 

The tabled settlement relates to the fallout from a hacking attack on Target in 2013 which resulted in approximately 110 million of its customers' personal data being stolen. The credit and debit card details of approximately 40m of those customers were compromised in the attack. Target has faced legal action in the US from financial institutions and consumer groups over the data breach. 

Data protection and litigation expert Laura Gillespie of Pinsent Masons, the law firm behind Out-Law.com, said: "The Target case and this proposed settlement evidences the increasing sophistication of cyber crime and its impact. Businesses are becoming increasingly digitised and enabling multi-channel sales but they need to ensure they have appropriate cyber security measures in place to respond to the growing cyber risk they face." 

"Most of the recent monetary penalties issued by the Information Commissioner's Office (ICO) for data breaches have been against private sector companies, so businesses cannot consider themselves immune from financial penalties," she said. "Planned new EU data protection rules promise far larger turnover-linked penalties for businesses that fall short on personal data security in future. With these reforms and the fact businesses can be held liable for third parties' costs in handling the fallout of incidents and forced to compensate consumers, the cost of dealing with data breaches could soon become catastrophic for businesses."