Banks hurt by the Target data breach two years ago will not be able to block a settlement they consider unfair, a judge ruled last week.
A group of small banks and credit unions could not persuade a judge to block the settlement Target and MasterCard reached last month that would reimburse banks on the card network $19 million for losses related to the retailer's breach.
U.S. District Court Judge Paul Magnuson said that the settlement will go through, even though its terms "do not appear altogether fair or reasonable," he wrote.
The legal standard for blocking such a settlement "is simply too high to allow the court to intervene," he wrote. Even if the settlement is not entirely fair, a court can block it only if there are signs of "serious misconduct" in how it was reached, he wrote.
"Although the settlement may not 'pass the smell test,' as the saying goes, it is not serious misconduct," Magnuson wrote.
The ruling continues years of legal frustration for banks that have tried to use the courts to seek restitution for losses they suffer in retailers' data breaches. Banks often have to reimburse customers for fraudulent purchases and pay for replacement cards, but they rarely receive full compensation for their losses.
In late 2013, around 40 million Target customers had their information compromised in the second-largest data breach ever. A group of five financial institutions, including Umpqua Bank in Portland, Ore., and Mutual Bank in Whitman, Mass., sued Target last year, claiming that the retailer's poor security made the breach possible.
The banks said the breach could eventually cost all financial institutions $18 billion. They opposed last month's settlement because of what their lawyers called its "paltry" payout, and because it included provisions forbidding banks that signed on from seeking restitution independently.
"The agreement between Target and MasterCard is nothing more than an attempt by Target to avoid fully reimbursing financial institutions for losses they suffered due to one of the largest data breaches in U.S. history," said an email from the banks' co-lead counsels, Charles Zimmerman of Zimmerman Reed and Karl Cambronne of Chestnut Cambronne.
"The court's opinion is a harsh indictment of the 'settlement' proposed by Target and MasterCard, and should give financial institutions great pause before accepting this flawed and inadequate agreement," they wrote.
In an email from a spokeswoman, Target said: "We are pleased with the court's decision, which we believe will allow us to resolve claims with participating MasterCard issuers and avoid protracted litigation with those issuers."
A MasterCard spokesman did not immediately respond to a request for comment.
The card network, which is not part of the banks' suit against Target, independently negotiated a settlement with the retailer to reimburse banks that use the network for the losses they suffered in the breach. Banks will have until May 20 to accept the settlement, and if they do so, they will forfeit the right to pursue restitution independently.
The plaintiffs suing Target were "not surprisingly discomfited" when they learned about the settlement, Judge Magnuson wrote, because of the "short time frame in which [they] must decide whether to participate in the settlement and thereby give up their claims here."
However, because the banks were not involved in the settlement, they have no legal right to block it, he determined. The banks' "issues with the settlement are understandable, but they are also not susceptible of a legal remedy," Magnuson wrote.
Along with Umpqua and Mutual, Village Bank in Saint Francis, Minn., CSE Federal Credit Union in Lake Charles, La., and First Federal Savings of Loraine in Ohio joined the suit.