Small Banks Fight Back Over Data Breach Losses

Small banks and credit unions are fighting back after major data breaches involving Target and Home Depot. These breaches caused them to incur huge financial losses, the majority of which have not been reimbursed by the retailers. As reported recently by The New York Times, these smaller financial institutions have now banded together to file objections to settlements over the data breaches.

In a data breach, like those that recently occurred with Target and Home Depot, customers aren’t responsible for any fraud that happens on their account as a result. Instead, those fraudulent charges fall to the consumer’s bank to try to recoup or absorb the loss. The financial institution is also responsible for the cost of all the new credit and debit cards that have to be issued to replace those that were compromised. For smaller banks, these card replacements can cost upwards of $10-12 apiece. Due to economies of scale, larger financial institutions can replace cards for a fraction of the cost, around $3 per card.

These card replacements hurt smaller banks more than their larger counterparts, but so do the settlements that come as a result. Small banks are objecting to the disproportionately large settlements major banks typically receive from card companies like Visa or Mastercard after a data breach. For example, Target recently reached a $19 million settlement with Mastercard to help cover the costs of that data breach. That money is then doled out to banks, with the largest institutions historically receiving the most money.

To illustrate this point, the New York Times cites a 2014 study of more than 500 bank and credit unions over the last five years. All banks with assets above $50 billion were reimbursed for their losses during data breaches, while just 25% of banks with assets less than $1 billion received any reimbursement.

Small banks have already filed an objection to the Target settlement, and one for the Home Depot settlement is on the way. The rulings that result from these objections could signal a significant shift in the way losses are handled after a data breach. What’s more, it shines an important spotlight on the precarious position of our personal financial data, and just how vulnerable it is in today’s digital world.