Target confirmed a report in the Wednesday edition of The Wall Street Journal of a settlement with MasterCard concerning claims of card-issuers arising from Target’s 2013 data breach. The data breach, which occurred during the post-Thanksgiving holiday shopping season, compromised over 40 million credit and debit cards used to make purchases at Target stores. The settlement has not been presented to the court for approval but was described in a press release issued by Target after the close of business on Wednesday. The settlement proposes payment of up to $19 million (previous reports had indicated a fund of $20 million) to reimburse issuers of MasterCard-branded payment cards for costs arising from reissuance of cards compromised by the data breach. Target’s obligation to proceed with the settlement is conditioned on acceptance by issuers of at least 90% of the eligible payment card accounts. Target indicates in its press release that it intends to “defend itself vigorously against any assessments made by MasterCard on behalf of MasterCard issuers that do not accept their offers.” In order to accept Target’s offer, settling issuers must agree to release all claims that they may have against Target arising from the data breach. The press release also states that the potential $19 million cost of the MasterCard settlement is included in the total cost of the data breach disclosed Target’s public securities filings (reported at 2014 year end to be $252 million before insurance offsets).
According to Target’s Wednesday press release, issuers that accept the MasterCard settlement are expected to be paid “by the end of the second quarter of 2015.” Based on the description of the settlement and the expected timing, it appears that the MasterCard settlement will take place entirely outside of the card issuer class action that is still pending in federal court in Minnesota, although any releases given in connection with the MasterCard settlement would finally resolve claims of settling issuers as to MasterCard payment cards compromised by the breach. The proposed settlement would not affect outstanding claims on behalf of issuers of other types of payment cards (including Visa, Discovery and American Express cards).