|
Data Breach
|3 Months Ended
|
May 03, 2014
|Commitments and Contingencies Disclosure [Abstract]
|Data Breach
|
Data Breach
In the fourth quarter of 2013, we experienced a data breach in which an intruder stole certain payment card and other guest information from our network (the Data Breach). Based on our investigation to date, we believe that the intruder accessed and stole payment card data from approximately 40 million credit and debit card accounts of guests who shopped at our U.S. stores between November 27 and December 17, 2013, through malware installed on our point-of-sale system in our U.S. stores. In addition, the intruder stole certain guest information, including names, mailing addresses, phone numbers or email addresses, for up to 70 million individuals. Our investigation of the matter is ongoing, and we are supporting law enforcement efforts to identify the responsible parties.
Expenses Incurred and Amounts Accrued
(a) Includes expenditures and accruals for Data Breach related costs and expected insurance recoveries as discussed below.
In the first quarter of 2014, we recorded $26 million of Data Breach-related expenses, partially offset by expected insurance proceeds of $8 million, for net expenses of $18 million. We recorded these expenses in our Consolidated Statements of Operations as Selling, General and Administrative Expenses (SG&A), but they are not included in our segment results. Expenses primarily relate to legal and other professional services.
Since the Data Breach, we have incurred $88 million of cumulative expenses, partially offset by expected insurance recoveries of $52 million, for net cumulative expenses of $35 million. These expenses include an accrual for the estimated probable loss related to the expected payment card networks' claims by reason of the Data Breach. The ultimate amount of these claims will likely include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred. In order for us to have liability for such claims, we believe that a court would have to find among other things that (1) at the time of the Data Breach the portion of our network that handles payment card data was noncompliant with applicable data security standards in a manner that contributed to the Data Breach, and (2) the network operating rules around reimbursement of operating costs and counterfeit fraud losses are enforceable. While an independent third-party assessor found the portion of our network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, the forensic investigator working on behalf of the payment card networks claimed that we were not in compliance with those standards at the time of the Data Breach. As a result, we believe it is probable that the payment card networks will make claims against us. We expect to dispute the payment card networks' anticipated claims, and we think it is probable that our disputes would lead to settlement negotiations consistent with the experience of other entities that have suffered similar payment card breaches. We believe such negotiations would effect a combined settlement of both the payment card networks' counterfeit fraud loss allegations and their non-ordinary course operating expense allegations. We based our accrual on the expectation of reaching negotiated settlements of the payment card networks' anticipated claims and not on any determination that it is probable we would be found liable on these claims were they to be litigated. Currently, we can only reasonably estimate a loss associated with settlements of the networks' expected claims for non-ordinary course operating expenses. The accrual does not include any amounts associated with the networks' expected claims for alleged incremental counterfeit fraud losses because the loss associated with settling such claims, while probable in our judgment, is not reasonably estimable, in part because we have not yet received third-party fraud reporting from the payment card networks. We are not able to reasonably estimate a range of possible losses in excess of the recorded accrual related to the expected settlement of the payment card networks' claims because the investigation into the matter is ongoing and there are significant factual and legal issues to be resolved. We believe it is reasonably possible that the ultimate amount paid on payment card network claims could be material to our results of operations in future periods.
Litigation and Governmental Investigations
In addition, more than 100 actions have been filed in courts in many states and one action in Canada and other claims have been or may be asserted against us on behalf of guests, payment card issuing banks, shareholders or others seeking damages or other related relief, allegedly arising out of the Data Breach. State and federal agencies, including the State Attorneys General, the Federal Trade Commission and the SEC are investigating events related to the Data Breach, including how it occurred, its consequences and our responses. While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses because our investigation into the matter is ongoing, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. Although we are cooperating in these investigations, we may be subject to fines or other obligations, which may have an adverse effect on our results of operations. We have not concluded that a loss from these matters is probable; therefore, we have not recorded a loss contingency liability for litigation, claims and governmental investigations in the first quarter 2014. We will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable.
Future Costs
We expect to incur significant legal and professional services expenses associated with the Data Breach in future periods. We will recognize these expenses as services are received.
Insurance Coverage
To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible. This coverage and certain other customary business-insurance coverage has reduced our exposure related to the Data Breach. We will pursue recoveries to the maximum extent available under the policies. As of May 3, 2014, we have received an initial payment of $13 million on our claim from our primary layer of network-security insurance, and expect to receive additional payments.
|X
|
- Details
|X
|
- Definition
The entire disclosure for commitments and contingencies.
Reference 1: http://www.xbrl.org/2003/role/presentationRef