Digital Transactions Authoritative, insightful and timely information for payments professionals
By Jim Daly
Target Corp.’s $10 million settlement of a consumer class action stemming from its late-2013 data breach is significant not only because of its size, but also because it signals that courts are becoming more attentive to the harm consumers suffer from data breaches even if the payment card networks’ zero-liability policies reimburse them for fraud losses, according a researcher who specializes in data security.
A federal judge in St. Paul, Minn., on Thursday approved the Target settlement, under which Target also could pay up to $6.75 million in legal costs. The retailer also agreed to pay an estimated $7 million in breach-notification expenses, according to the St. Paul Pioneer Press.
“Courts are now leaning against retailers and buying arguments that consumers do suffer damages—perhaps in the form of late fees, blocked bank or credit accounts, and time spent undoing the damage from these direct and ancillary effects,” analyst Avivah Litan of Stamford, Conn.-based Gartner Inc. tells Digital Transactions News via email. “While it’s true that consumers get the unauthorized charges back from their banks, there are extra related consumer costs associated with stolen cards. This case shows that the courts are more sympathetic to consumers and are opining against retailers when it comes to these ‘softer’ damages.”
The Target class action survived in court longer than many of its predecessors. For example, consumer class actions against retailer TJX Corp. were dismissed, even though that retailer’s breach, discovered in 2006, compromised more payment cards—about 46 million according to TJX but up to twice that much by outside estimates, versus 40 million for Target. “The [TJX] judge said that consumers couldn’t prove damages given that they recovered unauthorized charges—under the operating rules of the credit card brands as well as [the Federal Reserve’s] Regulation Z—from their [credit] card issuers,” Litan says.
Litan said another takeaway from the Target settlement is that courts are recognizing that damage can be done to consumers by the theft of personal information such as email addresses and names. Target said that in addition to the 40 million compromised card numbers, non-card data on 70 million customers were exposed in the breach. Many customers were affected by both data thefts.
“I’m not sure how the theft of this related information contributed to the judgment, but this case could also set a precedent that theft of email addresses along with names leads to consumer damages and is grounds for a lawsuit,” says Litan.
While large, the $10 million settlement fund would repay only 25 cents on average if every cardholder affected filed a claim, and only about a dime to everyone affected by the breach. But analysts expect relatively few people to seek reimbursement. That’s in large part because of the “unprecedented rate of card re-issuance” by credit and debit card issuers after the breach, Al Pascual, director of the fraud and security practice at Pleasanton, Calif.-based Javelin Strategy & Research, says in an email message. Pascual cites figures from the American Bankers Association, which estimated that issuers replaced 95% of compromised cards.
Fraud losses also appear to be much lower than first expected. “We initially had made multi-billion dollar estimates with regards to both fraud losses and out-of-pocket costs to consumers that would result from the Target breach, but fortunately for all of the legitimate stakeholders involved they did not prove accurate,” says Pascual. “We missed the mark on that one, but I’m glad to say that we did.”
Based on historical data she’s seen about data breaches, Litan predicts that only about 10% of affected customers will submit claims to the Target fund. That’s because “most of them—probably 90% of more—did not suffer financial damages other than a bit of lost time,” she says.
A recent Javelin study on identity theft estimated the median theft from existing credit and debit card fraud in 2014 was $300, while the mean (average) was $989. The mean direct cost to consumers was $79, with an estimated six hours of resolution time.
Consumers can file claims of up to $10,000 under terms of the settlement. Target still faces claims from the card networks as well as federal and state investigations. Earlier this month, Target reported that it has paid $162 million in net breach-related expenses.
