|
Processing System Intrusion
|9 Months Ended
|
Feb. 28, 2013
|Processing System Intrusion [Abstract]
|Processing System Intrusion
|
PROCESSING SYSTEM INTRUSION
In early March of 2012, we identified and self-reported unauthorized access into a limited portion of our North America card processing system. Our investigation also revealed potential unauthorized access to servers containing personal information collected from merchants who applied for processing services. The merchants who could potentially be affected are limited to those based in the U.S. We cannot verify those potentially affected as it is unclear whether any information was exported; however, we notified potentially-affected individuals and made available credit monitoring and identity protection insurance at no cost to the individuals.
As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our work to remediate our systems and processes is complete. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Our QSA completed the evaluation of our remediation work. Global Payments Direct, Inc, our primary operating entity, has been returned to the list of PCI DSS compliant service providers and we have received reports on compliance covering all of our systems that process, store, transmit or otherwise utilize card data. To date, we have not experienced a material loss of revenue that we can confirm has been related to this event. However, this event and our related remediation efforts could potentially have a negative impact on future revenues.
During the nine months ended February 28, 2013, we recorded $8.3 million of expense associated with this incident, bringing the life-to-date total expense to $92.7 million. Of this life-to-date expense, $77.1 million represents costs incurred through February 28, 2013 for professional fees and other costs associated with the investigation and remediation, incentive payments to certain business partners and costs associated with credit monitoring and identity protection insurance. An additional $35.6 million represents total fraud losses, fines and other charges that have been imposed upon us by the card networks. We have also recorded $20.0 million of insurance recoveries based on claims submitted to date as discussed below. The $18.0 million of insurance recoveries we recorded during the three months ended February 28, 2013 resulted in a net credit of $1.2 million for total processing system intrusion costs for the quarter. During the nine months ended February 28, 2013, we reduced our accrual for fraud losses, fines and other charges by $31.8 million. We based our initial estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary communications with the networks. We have now reached resolution with the networks and made payments to certain networks, resulting in charges that were less than our initial estimates. The primary difference between our initial estimates and the final charges relates to lower fraud related costs attributed to this event than previously expected. The following table reflects the activity in our accrual for fraud losses, fines and other charges for the nine months ended February 28, 2013 (in thousands):
We expect to make final payments to networks for fraud losses, fines and other charges during the fourth quarter of fiscal year 2013. We anticipate that we will continue to incur professional fees and other costs associated with remediation during the fourth quarter of fiscal 2013.
We are insured under policies that will provide coverage of certain costs associated with this event. The policies provide a total of $30.0 million in policy limits and contain various sub-limits of liability and other terms, conditions and limitations, including a $1.0 million deductible per claim. Our insurers have been advised of the circumstances surrounding our recent event. During fiscal year 2012, we recorded $2.0 million in insurance recoveries based on claims submitted to date. During the nine months ended February 28, 2013, we received assessments from certain networks and submitted additional claims to the insurers and recorded $18.0 million in additional insurance recoveries based on our negotiations with our insurers. We will record receivables for any additional recoveries in the periods in which we determine such recovery is probable and the amount can be reasonably estimated.
A class action arising out of the processing system intrusion was filed against us on April 4, 2012 by Natalie Willingham (individually and on behalf of a putative nationwide class) (the "Plaintiff"). Specifically, Ms. Willingham alleged that we failed to maintain reasonable and adequate procedures to protect her personally identifiable information (“PII”) which she claims resulted in two fraudulent charges on her credit card in March 2012. Further, Ms. Willingham asserted that we failed to timely notify the public of the data breach. Based on these allegations, Ms. Willingham asserted claims for negligence, violation of the Federal Stored Communications Act, willful violation of the Fair Credit Reporting Act, negligent violation of the Fair Credit Reporting Act, violation of Georgia's Unfair and Deceptive Trade Practices Act, negligence per se, breach of third-party beneficiary contract, and breach of implied contract. Ms. Willingham sought an unspecified amount of damages and injunctive relief. The lawsuit was filed in the United States District Court for the Northern District of Georgia. On May 14, 2012, we filed a motion to dismiss. On July 11, 2012, Plaintiff filed a motion for leave to amend her complaint, and on July 16, 2012, the Court granted that motion. She then filed an amended complaint on July 16, 2012. The amended complaint did not add any new causes of action. Instead, it added two new named Plaintiffs (Nadine and Robert Hielscher) (together with Plaintiff, the "Plaintiffs") and dropped Plaintiff's claim for negligence per se. On August 16, 2012, we filed a motion to dismiss the Plaintiffs' amended complaint. The Plaintiffs' filed their response in opposition to our motion to dismiss on October 5, 2012, and we subsequently filed our reply brief on October 22, 2012. The magistrate judge issued a report and recommendation recommending dismissal of all of Plaintiffs' claims with prejudice. The Plaintiffs subsequently agreed to voluntarily dismiss the lawsuit with prejudice, with each party bearing its own fees and costs. This was the only consideration exchanged by the parties in connection with Plaintiffs' voluntary dismissal with prejudice of the lawsuit. The lawsuit was dismissed with prejudice on March 6, 2013.
|X
|
- Details
|X
|
- Definition
Processing System Intrusion [Text Block]
No definition available.