| Data Breach | Data Breach In the fourth quarter of 2013, we experienced a data breach in which an intruder stole certain payment card and other guest information from our network (the Data Breach). Based on our investigation, we believe that the intruder installed malware on our point-of-sale system in our U.S. stores and stole payment card data from up to approximately 40 million credit and debit card accounts of guests who shopped at our U.S. stores between November 27 and December 17, 2013. In addition, the intruder stole certain guest information, including names, mailing addresses, phone numbers or email addresses, for up to 70 million individuals. Data Breach Related Accruals Each of the four major payment card networks has made a written claim against us regarding the Data Breach, either directly or through our acquiring banks. In August 2015, we entered into a settlement agreement with Visa under which we will pay up to $67 million to eligible Visa card issuers worldwide that issued cards that Visa claimed to have been affected by the Data Breach. Our previously recorded accrual for estimated probable losses related to Visa is consistent with the settlement. We expect to dispute the remaining unsettled claims regarding the Data Breach that have been or may be made against us by the payment card networks. With respect to the three major payment card networks other than Visa, we think it is probable that our disputes would lead to settlement negotiations. We believe such negotiations would effect a combined settlement of the payment card networks' counterfeit fraud loss allegations and their non-ordinary course operating expense allegations. In addition, more than 100 actions were filed in courts in many states on behalf of guests, payment card issuing banks, and shareholders, seeking damages or other related relief allegedly arising out of the Data Breach. The federal court actions (the MDL Actions) have been consolidated in the U.S. District Court for the District of Minnesota (MDL Court) pursuant to the rules governing multidistrict litigation and one remaining state court action has been stayed. In March 2015, Target entered into a Settlement Agreement that, upon approval of the MDL Court, will resolve and dismiss the claims asserted in the MDL Actions on behalf of a class of guests whose information was compromised in the Data Breach. Pursuant to the Settlement Agreement, Target has agreed to pay $10 million to class member guests, certain administrative costs associated with the settlement, and attorneys’ fees and expenses to class counsel as the Court may award. The claims asserted by payment card issuing banks and shareholders in the MDL Actions remain pending. One action was filed in Canada relating to the Data Breach. That action was dismissed, but is being appealed. State and federal agencies, including State Attorneys General, and the Federal Trade Commission are investigating events related to the Data Breach, including how it occurred, its consequences and our responses. The SEC's Enforcement Division concluded its investigation during the second quarter of 2015 and does not intend to recommend an enforcement action against us. Our accrual for estimated probable losses for what we believe to be the vast majority of actual and potential Data Breach related claims is based on the expectation of reaching negotiated settlements, and not on any determination that it is probable we would be found liable for the losses we have accrued were these claims to be litigated. Given the varying stages of claims and related proceedings, and the inherent uncertainty surrounding them, our estimates involve significant judgment and are based on currently available information, historical precedents and an assessment of the validity of certain claims. Our estimates may change as new information becomes available, and although we do not believe it is probable, it is reasonably possible that we may incur a material loss in excess of the amount accrued. We are not able to estimate the amount of such reasonably possible excess loss exposure at this time because many of the matters are in the early stages, alleged damages have not been specified, and there are significant factual and legal issues to be resolved. Expenses Incurred and Amounts Accrued Data Breach Balance Sheet Rollforward (millions) Liabilities Insurance Receivable Balance at February 1, 2014 $ 61 $ 44 Expenses incurred/insurance receivable recorded (a) 175 46 Payments made/received (54 ) (20 ) Balance at August 2, 2014 $ 182 $ 70 Balance at January 31, 2015 $ 171 $ 60 Expenses incurred/insurance receivable recorded (a) 12 — Payments made/received (15 ) (5 ) Balance at August 1, 2015 $ 168 $ 55 (a) Includes expenditures and accruals for Data Breach-related costs and expected insurance recoveries as discussed below. We recorded $9 million and $12 million of pretax Data Breach-related expenses during the three and six months ended August 1, 2015 , respectively, primarily for legal and other professional services. We recorded $148 million and $175 million of pretax Data Breach-related expenses during the three and six months ended August 2, 2014 , respectively, partially offset by expected insurance recoveries of $38 million and $46 million , respectively. Along with legal and other professional services, these expenses included an increase to the accrual for estimated probable losses for what we believe to be the vast majority of actual and potential breach-related claims, including claims by the payment card networks. These expenses were included in our Consolidated Statements of Operations as SG&A, but were not part of our segment results. Since the Data Breach, we have incurred $264 million of cumulative expenses, partially offset by expected insurance recoveries of $90 million , for net cumulative expenses of $174 million . Insurance Coverage To limit our exposure to losses relating to Data Breach and other claims, we maintained $100 million of network-security insurance coverage during the period that the Data Breach occurred, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks. This coverage, and certain other customary business-insurance coverage, has reduced our exposure related to the Data Breach. We will pursue recoveries to the maximum extent available under the policies. Since the Data Breach, we have received $35 million from our network-security insurance carriers of the $90 million accrued. |
