Why Banks Sued Home DepotInstitutions Seek Greater Post-Breach Compensation
The consolidated class-action lawsuit recently filed by banks and credit unions against Home Depot is more evidence of how card issuers are no longer relying solely on card brands to be compensated for losses and expenses linked to breached retailers.
See Also: Ransomware Recovery in the 'New Normal'
And in May, banks rejected MasterCard's $19 million breach settlement with Target because it provided inadequate reimbursement. One of the lead plaintiffs' attorneys in the case says institutions are prepared to go to trial if they don't feel the card brands can come up with an adequate settlement (see Will MasterCard, Target Renegotiate?).
Sign of Changing Times?
William Murray, an information security and payments technology consultant, says lawsuits filed by banking institutions against retailers, coupled with banks' rejection of the MasterCard settlement with Target, marks the dawn of a new era in how issuers relate to the card brands.
"It is evidence of a division of interest between MasterCard and its issuers," he says. "This is not a propitious time for MasterCard to see a major split between their interests and those of the issuers. As recently as two years ago, we spoke of 'brands and issuers' almost as though they were one in the same."
One executive with a leading card issuer on the West Coast says a mistrust of the card brands is brewing among issuers.
The executive says card issuers have "a level of mistrust of what the merchant and brands are telling us, or not telling us; either because they don't know [why retailers keep getting breached] or they are protecting their own interests."
The executive says banks' suspicions about what card brands know and don't know has been fueled by "the lack of clear communication and leadership" from the card brands, as well as their lacking ability to "consolidate" information about potentially breached accounts.
"Issuers are challenged to peel back the complexities of this situation," the executive says.
Shirley Inscoe, a financial fraud expert and analyst with consultancy Aite, says the card brands don't seem to really understand how much issuers are paying or absorbing for card breaches.
"If the settlements reflected the actual expenses incurred by the issuers, merchants would invest in better technology and these breaches would diminish dramatically," she says.
Inscoe also points out that because the court system has even less of a grasp on how much breaches cost card issuers, going to trial is probably a lose-lose situation for the banks, the card brands and the retailers.
"There is no guarantee a lawsuit will result in any more monies being forthcoming than the negotiated settlement amount," she says. "In actuality, the settlement that was not approved may end up being a better deal than the results of a lawsuit, particularly since attorney fees will be more and more massive the longer this issue is contested."
The Home Depot Case
Community banks and credit unions, along with the Credit Union National Association and 16 state credit union associations and leagues, on May 27 filed a consolidated class-action suit against Home Depot in a district court in Atlanta, where Home Depot has its corporate headquarters.
The suit claims that Home Depot failed to properly secure and monitor its payments network, and, as a result, exposed personal and financial information about 56 million U.S. consumers. Home Depot disclosed last September that malware had infiltrated its point-of-sale network and exposed card payment transactions conducted between April 2014 and September 2014.
The attackers later used the breached information to perpetrate fraud, and banking institutions are paying for that expense, plaintiffs claim (see Home Depot Breach Cost CUs $60 Million).
Now institutions are asking the court to compensate card issuers for losses and expenses linked to Home Depot's breach above and beyond what the card brands will pay.
Neither Home Depot nor the card brands responded to Information Security Media Group's request for comment about the consolidated suit and the claims made.
Home Depot Trial Not Likely
Murray says that while the banking institutions and groups involved in the case against Home Depot make valid arguments about why they should be compensated for the expenses and fraud losses they had to cover because of retailer's allegedly inadequate security, it's unlikely this case will go to trial.
It's in the retailers' and card brands' best interests to settle these matters outside of the courtroom, Murray contends. "I prefer trials for the transparency that they provide, but I prefer negotiated settlements for equity," he says.
Visa and MasterCard are likely to work hard to come up with settlements for the Home Depot and Target breaches that satisfy both sides, Murray adds. And because of the breach payment inequities in current agreements with Visa and MasterCard for smaller issuers, it's not likely the courts would be able to sort out what constitutes a reasonable payment to the plaintiffs, he says.
But rather than forcing merchants to pay more, Murray says card issuers need to renegotiate outdated contracts with their issuers.
"I think that the present contracts do not lead to predictable and equitable settlements," Murray says. "I think that the merchants believe that the [interchange] fees they pay are in return for the issuers assuming both credit and fraud risk. I believe this is how the system was sold to them. ... The brands and issuers now find that they have underpriced the fraud and compromise risk."
Murray says it's clear smaller issuers are taking bigger financial hits for card reissuance and breach recovery; yet in most cases, smaller institutions' contracts with the card brands do not account for this inequity, he points out. Smaller issuers can't absorb the costs associated with repeatedly reissuing cards like larger banks can.
Card Brands' Reimbursement Inequity?
Visa addressed this inequity in breach-related recovery payments in May, when it agreed to increase the amount it pays smaller banking institutions forced to reissue cards in the wake of a merchant breach (see Why Visa's Paying Banks More after Breaches).
Rather than paying $2.50 for each re-issued card - which historically was the rate paid to every institution impacted by a breach, regardless of the institution's asset size or annual Visa transaction volume - banking institutions with less than $500 million in annual Visa purchase volume will now be paid $6 per for every card they have to reissue in the wake of a breach at a merchant, according to a May 14 announcement from the American Bankers Association.
MasterCard has not said whether it plans to re-evaluate its current reimbursement fee structure.