Proposed $19 million data breach settlement between Target and MasterCard is voided

Banks and credit unions pushing to be fully reimbursed for losses suffered as a result of Target Corp.'s data breach have thwarted a proposed $19 million settlement that some claim would only cover "pennies on the dollar."

Last month, Target and MasterCard announced the tentative out-of-court settlement to begin paying banks for the millions of dollars they spent to reissue new cards and to cover fraud-related charges following the breach. But it was contingent on 90 percent of the eligible MasterCard accounts signing off on the offer by Wednesday. Both parties confirmed on Friday that threshold was not met, voiding the pact.

The setback for Target and MasterCard was met with cheers by the lead plaintiffs' attorneys in a federal lawsuit against Target brought by smaller banks who have denounced the proposed settlement as too little relief. They have called the settlement "laughable" and slammed it for going around the courts. Their lawsuit, which is planning to seek class-action status later this year, is making its way through U.S. District Court in St. Paul and is expected to go to trial in March 2016.

"We are pleased that financial institutions have resoundingly rejected Target and MasterCard's attempt to avoid fully reimbursing the losses suffered during one of the largest data breaches in U.S. history," Minneapolis attorneys Charles Zimmerman and Karl Cambronne said in a joint statement. "Financial institutions clearly saw through Target's misleading statements and efforts to extinguish pending legal claims for pennies on the dollar."

Others applauded the settlement's demise, including a trade association representing credit unions.

"The failure to opt in to the settlement by financial institutions sends a strong signal to card companies that the current reimbursement system does not work and financial institutions need to be made whole," Carrie Hunt, a senior vice president of the National Association of Federal Credit Unions, said in a statement.

But MasterCard does not appear to be finished.

"At this stage we will continue to work to resolve the matter," MasterCard said in a statement without elaborating on what further action it might take.

MasterCard added that the alternative recovery offer was an effort to provide banks with a more certain and faster payment following the 2013 data breach. If it had gone through, banks would have been reimbursed their share of the settlement by the end of the second quarter. MasterCard did not reveal how close the settlement came to passing.

Target, which had urged financial institutions to sign on to the deal, had no comment beyond confirming the unraveling of the settlement.

The plaintiffs in the federal lawsuit had tried unsuccessfully to block parts of the settlement earlier this month. They noted that MasterCard said the $19 million settlement would cover 71.4 percent of banks' costs related to the breach, but said that percentage is based on a MasterCard formula and was not representative of the actual costs banks and credit unions suffered. MasterCard is not a party to the lawsuit.

The federal judge presiding over the case in St. Paul denied the attempt to block the settlement since the lawsuit has not yet been certified as a class. But he did send some strong signals that he did not think it was a reasonable resolution, saying that the settlement might not "pass the smell test."

MasterCard originally demanded that Target pay more than $26 million to its card-issuing banks for damages from the data breach, he wrote. The two parties later settled on the $19 million figure.

According to court documents, MasterCard has identified about 8.8 million of its accounts that were affected by the data breach.

Visa is believed to have a much larger portion of card accounts affected by the breach. It is still in talks with Target to reach a resolution.

About 40 million customers had their payment card information stolen after hackers infiltrated Target's point-of-sale systems during the holiday shopping season in 2013. Another 70 million people had their personal information compromised.

Since then, Target has racked up $256 million in expenses related to the breach, about $90 million of which is expected to be covered by insurance. The $19 million settlement that has fallen apart was included in that figure.

In March, the retailer reached a separate $10 million settlement to resolve a class-action lawsuit brought by consumers whose cards were stolen.

Kavita Kumar • 612-673-4113