Recovering Card Losses After Third-Party Breaches

Payment card data breaches, in which credit and/or debit card information is stolen from a third-party, have been occurring at an alarming frequency the last several years. According to the non-profit Identity Theft Resource Center, the number of data breaches in the United States alone increased from approximately 200 in 2005 to more than 1,300 in 2017.

Each of these incidents can affect tens (if not hundreds) of millions of consumers. For example, Target reported that a 2013 breach of its systems compromised more than 40 million payment cards. A data breach reported by Home Depot the next year affected approximately 56 million cards. More recently, Equifax acknowledged in 2017 that a data breach exposed highly sensitive personally identifiable information for over 145.5 million people.

But while consumers are often the focus of media attention surrounding payment card data breaches, it is the financial institutions that issued the affected payment cards who bear the brunt of the harm. Credit unions have been at the forefront of recent litigation to recover these costs, bringing class actions against the merchants whose allegedly lax security controls resulted in payment card information being stolen.

This article will examine some notable settlements in prominent payment card data breach class actions involving financial institutions and describe key considerations for credit unions when deciding whether to take their situation to court.

Understanding the Harm to Financial Institutions

The use of payment cards has exploded in recent years. Driven at least in part by the continued rise of e-commerce, payment cards displaced cash as the preferred means of payment among consumers for the first time in 2018, according to a report from the Federal Reserve Bank of San Francisco. Paired with an increasing trend among consumers to store their payment card information with merchants online, there are more opportunities than ever for criminals to steal that data.

Financial institutions that issue payment cards feel the economic impact of this misconduct more than any other group. A recent survey found that the cost of reissuing compromised payment cards ranges from $3 to $25 per card, with smaller financial institutions paying on the higher end of the scale. This can lead credit unions to incur substantial losses in data breaches involving millions of cards nationwide. For example, one credit union reported that it paid $100,000 to reissue 20,000 payment cards following a single data breach. That does not account for the significant capital and human resources spent on other corrective measures, such as notifying customers that their cards may have been compromised, investigating claims of fraudulent activity, or reimbursing members for fraudulent charges. Credit unions may also lose income from interest and transaction fees as a result of decreased card usage following a data breach.

While it may have been possible to accept these expenses as a “cost of doing business” in the past, the increasing frequency of third-party data breaches has led many credit unions to act by filing lawsuits against retailers and other merchants whose systems were breached. Indeed, credit unions have been instrumental in some of the most important payment card data breach cases of the last decade.

Target Data Breach

In December 2013, news broke that malware infecting Target’s point-of-sale system had compromised payment card information for approximately 40 million people. An Ohio credit union was one of several financial institutions to initiate class actions against Target, alleging that Target failed to have adequate and reasonable measures in place to prevent the data breach and ignored clear warnings that its systems had been compromised.

The plaintiffs, including the Ohio credit union, eventually settled. The settlement provided financial institutions that issued payments cards the ability to recover from both the Visa Global Compromised Account Recovery Program and MasterCard Account Data Compromise Program in addition to the approximately $20 million settlement fund established for the class.

This resulted in a substantial recovery for card issuers. Under the terms of the settlement, financial institutions had the option to receive a fixed payment of $1.50 per compromised account or, if they were willing to submit documentary support, 60% of all unreimbursed fraud, card reissuance and other out-of-pocket losses between December 29, 2013, and March 31, 2014. Significantly, this window included not only the breach period, but a three-and-a-half-month loss-incursion window after the breach had ended.

Moreover, class representatives like the Ohio credit union each received an additional $20,000 for leading the case against Target in this litigation.

Home Depot Data Breach

Credit unions played an equally important role in recovering a substantial portion of the losses suffered by financial institutions following a data breach at Home Depot. This breach originated  from malware installed on self-checkout kiosks, which hackers used to steal information for 56 million payment cards. More than 35 credit unions filed class actions in the wake of this news, alleging that Home Depot’s security system contained numerous deficiencies, including inadequate internal controls. They claimed that Home Depot had failed to use up-to-date antivirus software, encrypt cardholder data, monitor its network, and scan its system for possible vulnerabilities that could have prevented this breach.

The settlement reached between Home Depot and the financial institution plaintiffs provided for substantial monetary compensation. Eligible financial institutions were able to receive $2 per compromised card or up to 60% of uncompensated losses if they were willing to provide documents to support their claim.

As with the Target settlement, financial institutions could benefit from this class settlement regardless of whether they received compensation from other sources, such as Visa or Mastercard programs. Home Depot also agreed to significant non-monetary relief as part of the settlement, including the adoption of remedial security measures designed to prevent future data breaches.

The court separately awarded class representatives, including two credit unions, an additional $2,500  each for taking the lead role this action.

Wendy’s Data Breach

In 2016, Wendy’s disclosed that attackers targeting its fast-food restaurants were able to access its point-of-sale systems. According to court documents, these hackers were able to steal information for 18 million payment cards issued by approximately 7,500 financial institutions nationwide. Nineteen credit unions took charge by filing class actions against Wendy’s to recover the losses suffered by financial institutions as a result of Wendy’s alleged failure to adequately protect its point-of-sale system and computer network.

Wendy’s agreed to settle these claims in 2019, providing $50 million in monetary compensation and agreeing to adopt additional security measures designed to prevent future data breaches for at least two years. This resulted in preliminary estimates of between $4.41 and $5.10 in compensation per card for eligible financial institutions. The credit unions that served as named plaintiffs also received as much as $7,500 extra, depending on their role in the case.

When Your Credit Union Is Affected

Credit unions affected by third-party data breaches should not simply write off the cost of remediation as a loss. As demonstrated by the three cases above, financial institutions often have claims against the merchant or retailer whose systems were compromised. Those claims can be valuable and provide a vehicle for recovering a substantial amount of the costs associated with reissuing cards and reimbursing members, among others. Credit unions considering whether to pursue those claims should weigh several factors, including:

• The number of cards or accounts affected by the breach. This is generally a good indicator of the amount of harm suffered (and potential recovery) from any class action.
• The costs associated with remediating and/or preventing any related financial fraud. This includes not only the cost of reissuing compromised cards, but reimbursements issued to customers and other expenses. Greater losses here might weight in favor of taking action, as recent settlements have provided relief for a considerable amount of uncompensated losses. Credit unions should take care to document as much of these costs as possible, since proof of loss is usually required.
• The deterrent effect that bringing claims may have in preventing future data breaches. Credit unions that choose to pursue claims can benefit the industry as a whole by making it clear to those who accept payment cards that they must do so responsibly while encouraging others to adopt stricter security standards.

These considerations should be carefully evaluated along with other factors that may be unique to each credit union before taking action.

Christian Levis is a partner and Amanda Fiorilla is an associate at Lowey Dannenberg P.C., a law firm with offices in White Plains, New York, and West Conshohocken, Pennsylvania. Christian and Amanda represent credit unions and consumers in data breach cases nationwide.