ST. PAUL, Minn. (3/20/15)--Despite Thursday's announcement by Target of a $10 million settlement for a consumer class-action lawsuit related to its 2013 data breach, credit unions are still waiting to be reimbursed for the nearly $30 million of costs they incurred in response to the breach. The settlement only covers payments to consumers for damages they may have incurred. It does not cover costs credit unions and other financial institutions incurred as a result of the breach.
CUNA President/CEO Jim Nussle weighed in on the Target news: "For 15 months, credit unions and their members have been pushed to the back burner waiting to be reimbursed for over $30 million lost, at no fault of their own, due to Target's failure to safeguard the data of its customers. Further, it shouldn't take a court-approved settlement for Target to provide basic security measures to protect American consumers from data breaches.
"Credit unions continue to protect their members as a result of merchant data breaches--and there's no end in sight. It's high time for merchants to be held to the same standards as financial institutions to ensure all consumers' private information is protected."
Under the settlement, which must still be approved by a federal court, Target will be required to implement data security measures such as appointing a chief information security officer and maintaining a written information security program.
Target will deposit the settlement amount into an interest-bearing escrow account to pay individual victims up to $10,000 in damages. The claims will be submitted and processed primarily online through a dedicated website, according to the court documents.
Roughly 40 million consumers had payment card data compromised as a result of the Target breach, and more than 70 million people had personal information compromised.
A CUNA survey identified that after the Target breach alone, credit unions reissued roughly 4.6 million credit and debit cards. Credit unions not only covered the cost of fraud, but also the costs of blocking transactions, reissuing cards, increasing staff at call centers and monitoring members' accounts.
The per-card cost was approximately $5.68 per card for the Target breach and higher than that for the Home Depot security failure.
On Wednesday, the House Energy and Commerce subcommittee conducted a hearing on a discussion draft of the Data Security and Breach Notification Act of 2015. Witnesses shared insights on announced legislation to protect from cyberattacks and safeguard consumer information.
Credit unions are subject to high data protection standards under the Gramm-Leach-Bliley Act, and they take their responsibility to protect their members' data seriously, Nussle said in a letter to leadership of the energy and commerce panel.