Target, MasterCard Settle Over Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bankinfosecurity.com/target-mastercard-settle-over-breach-a-8110

Target has agreed to pay a total of up to $19 million to issuers of
MasterCard payment cards over losses and expenses they incurred as a result
of the retailer's massive 2013 breach.

The settlement announced April 15 is contingent on issuers of at least 90
percent of the eligible MasterCard accounts accepting their offers by May
20. If sufficient issuers accept the offer, Target says they'll be paid by
the end of June.

"This settlement provides our issuers a reasonable resolution of the Target
data breach event," says Eileen Simon, MasterCard chief franchise integrity
officer. "The timely reimbursement of costs and losses under the agreement
delivers MasterCard issuers a faster and more certain resolution to the
event, while reinforcing our commitment to maintain the integrity of
industry security standards."

MasterCard, in a statement, says issuers that choose not to accept this
offer will have their claims determined by MasterCard internal processes
and may receive more or less than the amounts offered in this settlement,
depending on various factors. Those include MasterCard's final
determinations of their claims and the outcome of any litigation that
Target might file to challenge claim awards to issuers outside of this
settlement.

Target also is in negotiations with Visa for a breach-related settlement,
according to the Wall Street Journal.

'Long Overdue'

Jim Nussle, chief executive of the Credit Union National Association,
criticizes the delay in reaching a settlement with MasterCard. "It is about
time that Target steps up to its responsibilities in this breach," Nussle
says. "And it is long overdue for merchants to start living up to their
responsibilities in protecting customers' sensitive information by adopting
higher security standards."

Dan Berger, chief executive of the National Association of Federal Credit
Unions, says the size of the MasterCard settlement was disappointing.
"While we appreciate that the settlement attempts to hold Target somewhat
accountable, we were hoping it would be more than just pennies on the
dollar," Berger says. "We believe that this demonstrates the reason why
Congress must act to protect consumers' financial information by enacting
stronger standards and holding retailers and merchants directly accountable
for their data breaches."

As Target and MasterCard announced their settlement, the House Energy and
Commerce Committee passed a data breach notification and security bill that
calls on companies to take "reasonable security measures and practices" to
secure the personally identifiable information of customers (see National
Data Breach Notification Bill Advances).

Target says the 2013 breach compromised at least 40 million payment cards
and might have caused the pilfering of personal information from as many as
110 million people. The retailer has reported that its breach costs have
totaled at least $252 million so far, with $90 million covered by insurance.

The retailer last month announced a pending $10 million settlement of a
consumer lawsuit.

Target and MasterCard did not immediately respond to requests for comment.

Information Security Media Group will update this story as more information
becomes available.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!