The WSJ is reporting that the bankers who were impacted by the Target and Home Depot breaches are fighting back.
Usually, Mastercard and Visa negotiate a deal with the retailer who was breached and then dole out the money to the banks. The money seems to go to the big banks with the small banks being left out.
Earlier this month Target agreed to a deal with Mastercard to pay $19 million to cover the banks costs from the breach. Visa, it is assumed, will negotiate their own deal. Usually, part of this deal is for the banks to agree to give up their right to go after the merchants themselves. The banks have gone to the judge and said that they are not willing to do that.
To help understand why, the small banks are mad as hell and not going to take it any more, to use an old quote. A survey of 535 banks with assets below $1 billion revealed that nearly 75% of them did not receive a dime in reimbursements for breaches between 2009 and 2014. NOT. ONE. DIME. At the same time, all banks with assets above $50 billion were reimbursed.
Breaches are a bigger problem for small banks because they don’t have the economies of scale. A big bank can issue a new card for 3 bucks. It costs the small banks 10 bucks, for example.
The Chicago Patrolman’s Federal Credit Union has only 16,000 Visa cards in circulation. Last year, they suffered $80k in fraud losses. In the first quarter of this year, they had $55k in losses. That is hard for a small bank to swallow. In a previous breach they suffered $150,000 in losses and received $1,000 in reimbursement.
This fight is likely to get ugly before it gets done. One option for the small banks would be to decline to participate in the $19 million settlement, which I think they legally can do. If history is any indicator, that might mean that they forgo getting that $1,000 check.
What it also means is that it is likely to get uglier for Target and Home Depot. It could mean “death by a thousand cuts” where they are defending themselves against a whole bunch of lawsuits.
This is all speculative, but Target was likely thrilled to settle for $19 million when the banks said that they spent over a half billion. If this winds up going to trial, which I doubt Target or Home Depot would ever allow – even if they had to give the banks a lot more money – it would reveal details that these retailers would rather keep quiet.
It also means that the breach stays in the public’s mind longer.
What this also means is that the days of businesses who are breached settling with the banks for a penny on a dollar or less may be over.
All very interesting – stay tuned as this plays out.
Then Target has to deal with Visa. There isn’t even an offer on the table and given what is going on in court right now, I doubt there will be one until this is settled.
For any organization that collects NPI, this means the stakes are being raised. Be smart. You cannot guarantee that you won’t be breached, but, at least make it a challenge.