In the wake of Target’s April 15 announcement of a private $19 million settlement of the data breach claims of MasterCard-issuing banks, counsel representing the putative card issuer class in the consolidated Target data breach litigation moved to enjoin the proposed settlement, arguing that it is an improper end-run around the Minnesota federal court’s adjudication of card issuer claims. Target has responded that the settlement appropriately uses dispute resolution processes in MasterCard’s operating agreements to address breach-related losses, and employs a process that has been endorsed by other federal courts in prior data breach cases. The motion awaits action by Judge Magnuson, who is presiding over the consolidated cases pending against Target.
The parties’ motion papers have fleshed out the details of the Target-MasterCard settlement. According to an affidavit submitted by counsel for Target, MasterCard Operating Regulations specify certain procedures – referred to as the Account Data Compliance (or “ADC”) Program – for addressing card issuer losses resulting from retailers’ data breaches. Following ADC Program procedures, MasterCard conducted an investigation to determine how many MasterCard accounts were affected and what losses resulted to card issuers (in the form of fraud losses and the cost of replacing and reissuing affected cards). Target disputed MasterCard’s loss determination and initiated an appeal process that is available under the MasterCard Operating Regulations. Shortly after filing the appeal (which remains undecided) Target commenced negotiations with MasterCard to resolve their dispute. Those negotiations yielded a lengthy agreement which, as previously reported, will distribute up to $19 million to reimburse card issuing banks. According to Target and Master Card, the $19 million settlement fund equals 71.4% a portion of the MasterCard’s calculation of the card issuers’ fraud losses and card reissuance costs. Card issuers must affirmatively opt-in to participate in the settlement, and Target will not be obligated to conclude the settlement unless issuers of at least 90% of the eligible payment card accounts opt in. Finally, in order to accept Target’s offer, settling issuers must agree to release all claims that they may have against Target arising from the data breach.
On April 21, just six days after announcement of the MasterCard settlement, counsel for the card issuer class moved for a preliminary injunction to block the settlement. The brief supporting class counsel’s motion focuses on two features of the MasterCard settlement; the requirement that banks must release all of their data breach claims against Target in order to accept the settlement, and the provision that permits Target to walk away from the settlement if it is accepted by card issuers holding fewer than 90% of the affected cards. Class counsel argue that it is improper to seek releases in exchange for participation in the MasterCard ADC Program, which is a contractual right of card issuers. They contend that Target would at most be entitled to set off ADC Program recoveries against total card issuer damages. Further, class counsel assert that conditioning settlement on participation of issuers of 90% of the affected cards makes the proposed compromise, in substance, a private class settlement that would be devoid of the court review and supervision of class settlements that is mandated by Fed. R. Civ. P. 23(e). Finally, class counsel assert that Target and MasterCard have made deceptive statements about the settlement. In particular, class counsel challenge the disclosure that the proposed settlement would cover 71.4% of card issuers’ losses, claiming instead that “total losses actually suffered by card-issuing financial institutions are astronomically higher than the $19 million offered under the Proposed Settlement.”
Target’s opposition to the preliminary injunction motion followed just three days later. Noting the substantial overlap between the class claims and the losses covered by the ADC Program, Target took the position that the MasterCard settlement merely fulfills the purpose of the ADC Program – to compensate card issuers for the losses and costs resulting from a data breach. Conditioning issuers’ participation in the settlement on a release of all claims was intended to provide complete peace to Target in consideration for its agreement to pay money to resolve disputed claims, a traditional feature of litigation settlements. Target denied that there is anything coercive in requiring a release or conditioning overall settlement on the participation of issuers of 90% or more of the affected cards, as any issuer that wishes to maintain the status quo and continue to litigate disputed claims – including claims available under the ADC Program – could simply decline to accept the settlement. Finally, Target pointed to the use of settlements based on the MasterCard and Visa data breach resolution processes to resolve card issuer claims in the TJX and Heartland Payment Systems cases. The judge in TJX commented favorably on the use of such a process to resolve card issuer claims, while the Heartland court summarily denied a similar request by class counsel to enjoin settlements with card issuers based on MasterCard and Visa claim resolution processes. Target also stood by the accuracy of its statements concerning the settlement.
No hearing date has been set on class counsel’s motion, and it is not possible to determine when Judge Magnuson is likely to render his decision.
As is augured by prior courts’ acceptances of the MasterCard and Visa settlements in the TJX and Heartland cases, class counsel’s challenge to Target-MasterCard settlement is likely to fail. Under Fed. R. Civ. P. 23, which governs class actions, neither Target nor putative members of the card issuer class are bound by actions of class counsel before a class is certified. Further, Rule 23(e) only requires court approval for settlements of claims of a certified class. Where, as here, each card issuer is free to accept or reject the settlement without prejudice to the rights of other putative class members, no judicial approval is required. Given that the putative class members are card-issuing banks – and, thus, presumptively sophisticated parties – there is small likelihood that a federal court would feel any need to reach beyond the letter of Rule 23 to protect putative class members from attempts by a defendant to settle with them individually. Should Judge Magnuson follow TJX and Heartland and permit the Target-MasterCard settlement to go forward, the ruling would certainly pave the way for a similar settlement with Visa card issuers. Also likely would be a campaign by class counsel to dissuade issuers from opting into the settlements in hopes of triggering termination for failure to obtain opt ins from issuers of 90% or more of the affected cards. If Target prevails on the pending injunction motion and then secures sufficient opt ins to conclude the settlement, the successful use of that settlement model in a third significant case is likely to provide a template for resolution of card issuer claims in future data breach class actions.