Data Breach Settlement Insufficient

Breaches, breaches everywhere but not a consequence to be found – until now.

Data Breaches Passe

033_target

The Target data breach settlement negotiated by Mastercard has been refused by the three largest participating banks

Data breaches are (almost) no longer newsworthy. Exploited companies publish bland notices to the community indicating a breach has been reported and they are cooperating with authorities. Cyber security experts investigate.  The exploited company publishes the boilerplate list of exploited vulnerabilities. Occasionally a CISO or CIO’s employment is terminated.  And so on.

People complain about credit card interest rates but don’t correlate that experience to data breaches. It turns out a cause of high-interest rates is the result of card issuers recovering the costs associated with credit card data breaches. And guess what? That cost of doing business matters to the card issuers. The tide is turning and the accountability for data breaches is going to shift.  In their own self-interest, the major banks are pushing back – and we will eventually benefit.

Big Banks Push Back

Citigroup, Capital One Financial Corp. and J.P. Morgan Chase & Co. have each rejected the $19 million settlement negotiated on their behalf by Mastercard with Target Inc. More than $350 million has been spent addressing all of the issues associated with the 40 million cards affected by the data breach. An untold number of dollars has been stolen by the thieves associated with the Target breach with an estimated 9 billion US lost to thieves industry-wide last year. Small card issuers receive only pennies on the dollar for their losses.  They get their money after the big firms get theirs.  In that context, it’s not surprising that the major banks behind the card issuers are taking a firmer stand.

But how much is enough and how much can Target afford to spend compensating these firms for their lax controls? At what point does the consequence pass beyond termination of a senior executives employment and affect the stockholders of a company? When they care – we’ll benefit.  Target reported net revenue of 72 billion dollars in 2014.  While the settlement figure might affect stock prices temporarily, it’s not going to have a lasting effect.  Hopefully, the banks can raise the stakes and make the settlement meaningful for Target’s stakeholders – so we benefit.