COMMITMENTS AND CONTINGENCIES

At February 1, 2015, the Company was contingently liable for approximately $392 million under outstanding letters of credit and open accounts issued for certain business transactions, including insurance programs, trade contracts and construction contracts. The Company’s letters of credit are primarily performance-based and are not based on changes in variable components, a liability or an equity security of the other party.

In addition to the Data Breach described below, the Company is involved in litigation arising from the normal course of business. In management's opinion, this litigation is not expected to have a material adverse effect on the Company's consolidated financial condition, results of operations or cash flows.

Data Breach

In the third quarter of fiscal 2014, the Company confirmed that its payment data systems were breached, which potentially impacted customers who used payment cards at self-checkout systems in the Company's U.S. and Canadian stores (the "Data Breach"). The Company's investigation to date has determined the intruder used a vendor’s user name and password to enter the perimeter of the Company’s network. The intruder then acquired elevated rights that allowed it to navigate portions of the Company’s systems and to deploy unique, custom-built malware on the Company’s self-checkout systems to access payment card information of customers who shopped at the Company's U.S. and Canadian stores between April 2014 and September 2014. The investigation of the Data Breach is ongoing, and the Company is supporting law enforcement efforts to identify the responsible parties.

Expenses Incurred and Amounts Accrued

In fiscal 2014, the Company recorded $63 million of pretax expenses related to the Data Breach, partially offset by $30 million of expected insurance proceeds for costs the Company believes are reimbursable and probable of recovery under its insurance coverage, for pretax net expenses of $33 million. These expenses are included in SG&A expenses in the accompanying Consolidated Statements of Earnings for fiscal 2014. Expenses include costs to investigate the Data Breach; provide identity protection services, including credit monitoring, to impacted customers; increase call center staffing; and pay legal and other professional services, all of which were expensed as incurred.

At February 1, 2015, accrued liabilities and insurance receivable related to the Data Breach consisted of the following (amounts in millions):



	Accrued Liabilities			Insurance Receivable
(Expenses incurred) insurance receivable recorded	$	(63	)	$	30
Payments made (received)	51			(10		)
Balance at February 1, 2015	$	(12	)	$	20

Litigation, Claims and Government Investigations

In addition to the above expenses, the Company believes it is probable that the payment card networks will make claims against the Company. The ultimate amount of these claims will likely include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks assert they or their issuing banks have incurred. In order for the Company to have liability for such claims, the Company believes it would have to be determined, among other things, that (1) at the time of the Data Breach the portion of the Company’s network that handles payment card data was noncompliant with applicable data security standards, and (2) the alleged noncompliance caused at least some portion of the compromise of payment card data that occurred during the Data Breach. Although an independent third-party assessor found the portion of the Company’s network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, and the process of obtaining such certification for 2014 was ongoing at the time of the Data Breach, in March 2015 the forensic investigator working on behalf of the payment card networks alleged that the Company was not in compliance with certain of those standards at the time of the Data Breach. As a result, the Company believes it is probable that the payment card networks will make claims against it and that the Company will dispute those claims. When those claims are asserted, the Company will have to determine, based on the facts and information then available to it, whether to litigate or seek to settle those claims. At this time, the Company believes that settlement negotiations will ensue and that it is probable that the Company will incur a loss in connection with those claims. The Company cannot reasonably estimate a range of losses because no claims have yet been asserted and because there are significant factual and legal issues to be resolved. The Company will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable. The Company believes that the ultimate amount paid on payment card network claims could be material to the Company's consolidated financial condition, results of operations, or cash flows in future periods.

In addition, at least 57 actions have been filed in courts in the U.S. and Canada, and other claims may be asserted against the Company on behalf of customers, payment card brands, payment card issuing banks, shareholders or others seeking damages or other related relief, allegedly arising from the Data Breach. Furthermore, several state and federal agencies, including State Attorneys General, are investigating events related to the Data Breach, including how it occurred, its consequences and the Company's responses. The Company is cooperating in the governmental investigations, and the Company may be subject to fines or other obligations. While a loss from these matters is reasonably possible, the Company is not able to estimate the costs, or range of costs, related to these matters because the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. The Company has not concluded that a loss from these matters is probable; therefore, the Company has not recorded an accrual for litigation, claims and governmental investigations related to these matters in fiscal 2014. The Company will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable. The Company believes that the ultimate amount paid on these actions, claims and investigations could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.

Future Costs

The Company expects to incur significant legal and other professional services expenses associated with the Data Breach in future periods. The Company will recognize these expenses as services are received. Costs related to the Data Breach that may be incurred in future periods may also include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs; liabilities related to the Company’s private label credit card fraud and card reissuance costs; liabilities from current and future civil litigation, governmental investigations and enforcement proceedings; future expenses for legal, investigative and consulting fees; and incremental expenses and capital investments for remediation activities. The Company believes that the ultimate amount paid on these services and claims could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.

Insurance Coverage

The Company maintained $100 million of network security and privacy liability insurance coverage in fiscal 2014, above a $7.5 million deductible, to limit the Company's exposure to losses such as those related to the Data Breach. As of February 1, 2015, the Company had received an initial payment of $10 million of insurance reimbursements, and expects to receive additional payments. In fiscal 2015, the Company entered into a new policy, with $100 million of network security and privacy liability insurance coverage, above a $10 million deductible, to limit the Company's exposure to similar losses.