Target Corp. and Visa Inc. announced a settlement on August 18 requiring Target to pay up to $67 million to reimburse credit-card issuers for costs stemming from Target’s 2013 data breach. By comparison, Target and MasterCard reached a tentative agreement in May 2015 to settle a proposed class action involving banks and credit unions stemming from the breach for $19 million. But fewer than the required 90% of applicable banks and credit unions approved that settlement. The recent settlement with Visa, which is three times larger than the proposed settlement with MasterCard, received the requisite support from the financial institutions. This settlement illustrates that retailer liability to financial institutions stemming from a breach can be a multi-million dollar source of liability, in addition to other liabilities from the breach, such as for notification costs, forensic expenses, and consumer litigation.
Retailers who suffer a data breach must be aware of the possibility that financial institutions may sue them for costs they incur from the breach. Although the financial institutions base their suits on the same set of facts as in consumer litigation, the probability of success in litigation involving consumers as opposed to financial institutions depends on a different analysis. For example, in some circumstances, it may be easier for financial institutions, as compared to consumers, to establish standing in data breach litigation.
The recent settlement between Target and Visa may act as a benchmark for future litigation. Retailers responding to a breach must consider the risk of lawsuits by financial institutions, in addition to any consumer litigation.