|
Processing System Intrusion
|6 Months Ended
|
Nov. 30, 2012
|Processing System Intrusion [Abstract]
|Processing System Intrusion
|
PROCESSING SYSTEM INTRUSION
In early March of 2012, we identified and self-reported unauthorized access into a limited portion of our North America card processing system.
As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks' lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial. We continue to process transactions worldwide through all of the card networks. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Our work to remediate our systems and processes is substantially complete. Our QSA is currently evaluating our remediation work. Once the QSA's evaluation is complete we will work closely with the networks to return to the list of PCI DSS compliant service providers as quickly as possible. Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows.
The investigation also revealed potential unauthorized access to servers containing personal information collected from merchants who applied for processing services. The merchants who could potentially be affected are limited to those based in the U.S. We cannot verify those potentially affected as it is unclear whether any information was exported; however, we notified potentially-affected individuals and made available credit monitoring and identity protection insurance at no cost to the individuals.
During the six months ended November 30, 2012, we recorded $9.5 million of expense associated with this incident, bringing the life-to-date total expense to $93.9 million. Of this life-to-date expense, $60.0 million represents costs incurred through November 30, 2012 for professional fees and other costs associated with the investigation and remediation, incentive payments to certain business partners and costs associated with credit monitoring and identity protection insurance. An additional $35.9 million represents our estimate of total fraud losses, fines and other charges that will be imposed upon us by the card networks. We have also recorded $2.0 million of insurance recoveries based on claims submitted to date as discussed below. During the three months ended November 30, 2012, we reduced our estimate of fraud losses, fines and other charges by $31.5 million resulting in a credit of $14.5 million for total processing system intrusion costs for the quarter ended November 30, 2012. We based our initial estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary communications with the networks. We have now reached resolution with and made payments to certain networks, resulting in charges that were less than our initial estimates. The primary difference between our initial estimates and the final charges relates to lower fraud related costs attributed to this event than previously expected. The following table reflects the activity in our accrual for fraud losses, fines and other charges for the six months ended November 30, 2012 (in thousands):
We have not reached final resolution with certain other networks. As such, the amount of fraud losses, fines and other charges that will be imposed by those networks could differ from the amount we have accrued as of November 30, 2012. Currently we do not have sufficient information to estimate the amount or range of additional possible loss for fraud losses, fines and other charges that will be imposed upon us by those card networks.
We are insured under policies that we believe may provide coverage of certain costs associated with this event. The policies provide a total of $30.0 million in policy limits and contain various sub-limits of liability and other terms, conditions and limitations, including a $1.0 million deductible per claim. Our insurers have been advised of the circumstances surrounding our recent event. During fiscal year 2012, we recorded $2.0 million in insurance recoveries based on claims submitted to date. During the three months ended November 30, 2012, we received assessments from certain networks and submitted additional claims to the insurers. We will record receivables for such recoveries in the periods in which we determine such recovery is probable and the amount can be reasonably estimated.
We expect to incur additional costs associated with investigation, remediation and demonstrating PCI DSS compliance. We will expense such costs as they are incurred in accordance with our accounting policies for such costs. We currently anticipate that such additional costs may be material to our fiscal 2013 financial position, results of operations and cash flows.
A class action arising out of the processing system intrusion was filed against us on April 4, 2012 by Natalie Willingham (individually and on behalf of a putative nationwide class). Specifically, Ms. Willingham alleged that we failed to maintain reasonable and adequate procedures to protect her personally identifiable information (“PII”) which she claims resulted in two fraudulent charges on her credit card in March 2012. Further, Ms. Willingham asserted that we failed to timely notify the public of the data breach. Based on these allegations, Ms. Willingham asserted claims for negligence, violation of the Federal Stored Communications Act, willful violation of the Fair Credit Reporting Act, negligent violation of the Fair Credit Reporting Act, violation of Georgia's Unfair and Deceptive Trade Practices Act, negligence per se, breach of third-party beneficiary contract, and breach of implied contract. Plaintiff seeks an unspecified amount of damages and injunctive relief. The suit was filed in the United States District Court for the Northern District of Georgia. On May 14, 2012, we filed a motion to dismiss. On July 11, 2012, Plaintiff filed a motion for leave to amend her complaint, and on July 16, 2012, the Court granted that motion. Plaintiff filed an amended complaint on July 16, 2012. The amended complaint does not add any new causes of action. Instead, it adds two new named Plaintiffs (Nadine and Robert Hielscher) and drops Plaintiffs' claim for negligence per se. On August 16, 2012, we filed a motion to dismiss the Plaintiffs' amended complaint. The Plaintiffs' filed their response in opposition to our motion to dismiss on October 5, 2012, and we subsequently filed our reply brief on October 22, 2012. At this stage of the proceedings we cannot predict the outcome of the matter, but we intend to defend the matter vigorously. We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable. Currently we do not have sufficient information to estimate the amount or range of possible loss associated with this matter.
|X
|
- Details
|X
|
- Definition
Processing System Intrusion [Text Block]
No definition available.