The Mouse That Roared?
The news that the proposed $19 million settlement between MasterCard and Target has been rejected, in no small part because of the vocal opposition of credit unions that complained that the proposed deal didn’t adequately compensate smaller issuers for the costs of the breach that impacted as many as 40 million cards and 110 million people, is an important victory for the industry. It demonstrates that the concerns of smaller institutions have to be a major focus of any efforts by the courts and policymakers trying to apportion the costs of data breaches. This may have been the moment when the little financial institutions came together and announced that, when it comes to data breaches, “they’re mad as Hell and they are not going to take it anymore.”
Under an agreement announced between MasterCard and major issuers in March, issuers would have gotten $19 million to settle claims related to the breach provided that at least 90 percent of card issuers signed off on the deal by May 20th. If you, like your faithful blogger, were already in long-weekend mode on Friday, you may have missed the news. As NAFCU’s Carrie Hunt said in this morning’s American Banker, “[t]he failure to opt in to the settlement by financial institutions sends a strong signal to card companies that the current reimbursement system does not work and financial institutions need to be made whole.”
Opposition to the settlement was led by a group of small banks and CSE Federal Credit Union in Lake Charles, La. They sued Target last year and are seeking to bring a class action lawsuit. They complained that the settlement amounted to “pennies on the dollar” compared to the actual costs of the data breach. They filed a motion seeking to block the settlement. Even though that attempt failed, they lost the battle but won the war. Their failed attempt provided a platform from which they could argue that the settlement was a bad deal.
Now what? Good question. When you begin to parse through the legal issues and try to determine not only the cost of breaches but how they should be apportioned we get into murky water here with both sides having incentives to negotiate. Target wants to move on and it would take years of litigation before credit unions or banks ever get a dime for the breach.
That is why, as good as the lawsuit feels, Congress and legislatures are best suited to apportion the costs of data breaches and prevent further instances. The litigation comes at a great time for the industry. Congress is starting to pay attention to data breach issues . . . finally. The lawsuit shows that the existing system doesn’t adequately protect credit unions for data breach costs.
For your largest issuers, they are just another cost to be absorbed but for smaller institutions data breaches result in direct and indirect costs that, if left unabated, will push even more credit unions to merge or close their doors.