COMMITMENTS AND CONTINGENCIES

Data Breach

In the third quarter of fiscal 2014, the Company confirmed that its payment data systems were breached, which potentially impacted customers who used payment cards at self-checkout systems in the Company's U.S. and Canadian stores (the "Data Breach"). The Company's investigation to date has determined the intruder used a vendor's user name and password to enter the perimeter of the Company's network. The intruder then acquired elevated rights that allowed it to navigate portions of the Company's systems and to deploy unique, custom-built malware on the Company's self-checkout systems to access payment card information of customers who shopped at the Company's U.S. and Canadian stores between April 2014 and September 2014.

Litigation, Claims and Government Investigations

In the second quarter of fiscal 2015, the payment card networks made claims against the Company for costs that they assert they or their issuing banks have incurred in connection with the Data Breach, including incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs), and the Company recorded an accrual for estimated probable losses it expected to incur in connection with those claims. In the third quarter of fiscal 2015, the Company entered into settlement agreements with American Express and Discover with respect to their claims.

In addition, at least 57 putative class actions have been filed in courts in the U.S. and Canada allegedly arising from the Data Breach. The U.S. class actions have been consolidated for pre-trial proceedings in the United States District Court for the Northern District of Georgia (the "District Court"). That court ordered that the individual class actions be administratively closed in favor of the filing of consolidated class action complaints on behalf of customers and financial institutions allegedly harmed by the Data Breach. In the third quarter of fiscal 2015, the Company recorded an accrual for estimated probable losses that it expects to incur in connection with the U.S. customer class actions.

The accruals for estimated probable losses in connection with the payment card networks’ claims and the U.S. customer class actions are based on currently available information associated with those matters. These estimates may change as new information becomes available or circumstances change. The accruals are also based on the expectation of reaching negotiated settlements with the claimants and not on any determination that it is probable that the Company would be found liable for the losses it has accrued were these matters to be litigated.

Other claims have been and may be asserted against the Company on behalf of customers, payment card issuing banks, shareholders or others seeking damages or other related relief allegedly arising from the Data Breach. In the third quarter of fiscal 2015, two purported shareholder derivative actions were filed in the District Court against certain present and former members of the Company's Board of Directors and executive officers. The Company was also named as a nominal defendant in both suits, which together assert claims for breaches of fiduciary duty, waste of corporate assets, unjust enrichment and violations of the Securities Exchange Act of 1934. The lawsuits seek unspecified damages, equitable relief to reform the Company's corporate governance structure, restitution, disgorgement of profits, benefits and other compensation obtained by the defendants, and reasonable costs and expenses. In addition, several state and federal agencies, including State Attorneys General, are investigating events related to the Data Breach, including how it occurred, its consequences and the Company's responses. The Company is cooperating in the governmental investigations, and the Company may be subject to fines or other obligations. While a loss from these matters, including the Canadian class actions and the U.S. financial institution class actions, is reasonably possible, the Company is not able to estimate the costs, or range of costs, related to these matters because the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. The Company has not concluded that a loss from these matters is probable; therefore, the Company has not recorded an accrual for litigation, claims and governmental investigations related to these matters in the third quarter of fiscal 2015. The Company will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable. The Company believes that the ultimate amount paid on these actions, claims and investigations could have an adverse effect on the Company's consolidated financial condition, results of operations, or cash flows in future periods.

Expenses Incurred and Amounts Accrued

In the third quarter of fiscal 2015, the Company recorded $20 million of pretax expenses related to the Data Breach. The Company did not record any related expected insurance proceeds in the third quarter of fiscal 2015. The results for the first nine months of fiscal 2015 included $189 million of pretax gross expenses related to the Data Breach, partially offset by $70 million of expected insurance proceeds, for pretax net expenses of $119 million. Since the Data Breach occurred, the Company has recorded $252 million of pretax gross expenses related to the Data Breach, partially offset by $100 million of expected insurance proceeds, for pretax net expenses of $152 million. These expenses include costs to investigate the Data Breach; provide identity protection services, including credit monitoring, to impacted customers; increase call center staffing; and pay legal and other professional services, all of which were expensed as incurred. Expenses also include the accruals for estimated probable losses that the Company expects to incur in connection with the claims made by the payment card networks and the U.S. customer class actions. These expenses are included in Selling, General and Administrative expenses in the accompanying Consolidated Statements of Earnings.

At November 1, 2015, accrued liabilities and the insurance receivable related to the Data Breach consisted of the following (amounts in millions):



	Accrued Liabilities			Insurance Receivable
Balance at August 3, 2014	$	—		$	—
(Expenses incurred) insurance receivable recorded	(43		)	15
Payments made (received)	35			—
Balance at November 2, 2014	(8		)	15
(Expenses incurred) insurance receivable recorded	(20		)	15
Payments made (received)	16			(10		)
Balance at February 1, 2015	(12		)	20
(Expenses incurred) insurance receivable recorded	(16		)	9
Payments made (received)	9			(20		)
Balance at May 3, 2015	(19		)	9
(Expenses incurred) insurance receivable recorded	(153		)	61
Payments made (received)	20			—
Balance at August 2, 2015	(152		)	70
(Expenses incurred) insurance receivable recorded	(20		)	—
Payments made (received)	7			—
Balance at November 1, 2015	$	(165	)	$	70

Future Costs

The Company expects to incur additional legal and other professional services expenses associated with the Data Breach in future periods and will recognize these expenses as services are received. Costs related to the Data Breach that may be incurred in future periods may include additional liabilities to payment card networks and impacted customers; liabilities from current and future civil litigation, governmental investigations and enforcement proceedings; future expenses for legal, investigative and consulting fees; and incremental expenses and capital investments for remediation activities. The Company believes that the ultimate amount paid on these services and claims could have an adverse effect on the Company's consolidated financial condition, results of operations, or cash flows in future periods.

Insurance Coverage

The Company maintained $100 million of network security and privacy liability insurance coverage in fiscal 2014, above a $7.5 million deductible, to limit the Company's exposure to losses such as those related to the Data Breach. As of November 1, 2015, the Company had received initial payments totaling $30 million of insurance reimbursements under the fiscal 2014 policy, and expects to receive additional payments. In the first quarter of fiscal 2015, the Company entered into a new policy, with $100 million of network security and privacy liability insurance coverage, above a $10 million deductible, to limit the Company's exposure to similar losses.