Target 2013 Annual Report Download - page 22

Download and view the complete annual report

Please find page 22 of the 2013 Target annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 82

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82

17
Data Breach
Description of Event
As previously disclosed, we experienced a data breach in which an intruder stole certain payment card and other guest
information from our network (the Data Breach). Based on our investigation to date, we believe that the intruder
accessed and stole payment card data from approximately 40 million credit and debit card accounts of guests who
shopped at our U.S. stores between November 27 and December 15, 2013, through malware installed on our point-
of-sale system in our U.S. stores. On December 15, we removed the malware from virtually all registers in our U.S.
stores. Payment card data used in transactions made by 56 additional guests in the period between December 16 and
December 17 was stolen prior to our disabling malware on one additional register that was disconnected from our
system when we completed the initial malware removal on December 15. In addition, the intruder stole certain guest
information, including names, mailing addresses, phone numbers or email addresses, for up to 70 million individuals.
Our investigation of the matter is ongoing, and we are supporting law enforcement efforts to identify the responsible
parties.
Expenses Incurred and Amounts Accrued
In the fourth quarter of 2013, we recorded $61 million of pretax Data Breach-related expenses, and expected insurance
proceeds of $44 million, for net expenses of $17 million ($11 million after tax), or $0.02 per diluted share. These
expenses were included in our Consolidated Statements of Operations as Selling, General and Administrative Expenses
(SG&A), but were not part of our segment results. Expenses include costs to investigate the Data Breach, provide
credit-monitoring services to our guests, increase staffing in our call centers, and procure legal and other professional
services.
The $61 million of fourth quarter expenses also includes an accrual related to the expected payment card networks’
claims by reason of the Data Breach. The ultimate amount of these claims will likely include amounts for incremental
counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment
card networks believe they or their issuing banks have incurred. In order for us to have liability for such claims, we
believe that a court would have to find among other things that (1) at the time of the Data Breach the portion of our
network that handles payment card data was noncompliant with applicable data security standards in a manner that
contributed to the Data Breach, and (2) the network operating rules around reimbursement of operating costs and
counterfeit fraud losses are enforceable. While an independent third-party assessor found the portion of our network
that handles payment card data to be compliant with applicable data security standards in the fall of 2013, we expect
the forensic investigator working on behalf of the payment card networks nonetheless to claim that we were not in
compliance with those standards at the time of the Data Breach. We base that expectation on our understanding that,
in cases like ours where prior to a data breach the entity suffering the breach had been found by an independent third-
party assessor to be fully compliant with those standards, the network-approved forensic investigator nonetheless
regularly claims that the breached entity was not in fact compliant with those standards. As a result, we believe it is
probable that the payment card networks will make claims against us. We expect to dispute the payment card networks’
anticipated claims, and we think it is likely that our disputes would lead to settlement negotiations consistent with the
experience of other entities that have suffered similar payment card breaches. We believe such negotiations would
effect a combined settlement of both the payment card networks' counterfeit fraud loss allegations and their non-
ordinary course operating expense allegations. We based our year-end accrual on the expectation of reaching
negotiated settlements of the payment card networks’ anticipated claims and not on any determination that it is probable
we would be found liable on these claims were they to be litigated. Currently, we can only reasonably estimate a loss
associated with settlements of the networks' expected claims for non-ordinary course operating expenses. The year-
end accrual does not include any amounts associated with the networks' expected claims for alleged incremental
counterfeit fraud losses because the loss associated with settling such claims, while probable in our judgment, is not
reasonably estimable, in part because we have not yet received third-party fraud reporting from the payment card
networks. We are not able to reasonably estimate a range of possible losses in excess of the year-end accrual related
to the expected settlement of the payment card networks’ claims because the investigation into the matter is ongoing
and there are significant factual and legal issues to be resolved. We believe that the ultimate amount paid on payment
card network claims could be material to our results of operations in future periods.