Commitments and Contingencies
Data Breach
In the fourth quarter of 2013, we experienced a data breach in which an intruder stole certain payment card and other guest information from our network (the Data Breach). Based on our investigation to date, we believe that the intruder accessed and stole payment card data from approximately 40 million credit and debit card accounts of guests who shopped at our U.S. stores between November 27 and December 15, 2013, through malware installed on our point-of-sale system in our U.S. stores. On December 15, we removed the malware from virtually all registers in our U.S. stores. Payment card data used in transactions made by 56 additional guests in the period between December 16 and December 17 was stolen prior to our disabling malware on one additional register that was disconnected from our system when we completed the initial malware removal on December 15. In addition, the intruder stole certain guest information, including names, mailing addresses, phone numbers or email addresses, for up to 70 million individuals. Our investigation of the matter is ongoing, and we are supporting law enforcement efforts to identify the responsible parties.
Expenses Incurred and Amounts Accrued
In the fourth quarter of 2013, we recorded $61 million of pretax Data Breach-related expenses, and expected insurance proceeds of $44 million, for net expenses of $17 million ($11 million after tax), or $0.02 per diluted share. These expenses were included in our Consolidated Statements of Operations as Selling, General and Administrative Expenses (SG&A), but were not part of our segment results. Expenses include costs to investigate the Data Breach, provide credit-monitoring services to our guests, increase staffing in our call centers, and procure legal and other professional services.
The $61 million of fourth quarter expenses also include an accrual for the estimated probable loss related to the expected payment card networks’ claims by reason of the Data Breach. The ultimate amount of these claims will likely include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred. In order for us to have liability for such claims, we believe that a court would have to find among other things that (1) at the time of the Data Breach the portion of our network that handles payment card data was noncompliant with applicable data security standards in a manner that contributed to the Data Breach, and (2) the network operating rules around reimbursement of operating costs and counterfeit fraud losses are enforceable. While an independent third-party assessor found the portion of our network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, we expect the forensic investigator working on behalf of the payment card networks nonetheless to claim that we were not in compliance with those standards at the time of the Data Breach. We base that expectation on our understanding that, in cases like ours where prior to a data breach the entity suffering the breach had been found by an independent third-party assessor to be fully compliant with those standards, the network-approved forensic investigator nonetheless regularly claims that the breached entity was not in fact compliant with those standards. As a result, we believe it is probable that the payment card networks will make claims against us. We expect to dispute the payment card networks’ anticipated claims, and we think it is probable that our disputes would lead to settlement negotiations consistent with the experience of other entities that have suffered similar payment card breaches. We believe such negotiations would effect a combined settlement of both the payment card networks' counterfeit fraud loss allegations and their non-ordinary course operating expense allegations. We based our year-end accrual on the expectation of reaching negotiated settlements of the payment card networks’ anticipated claims and not on any determination that it is probable we would be found liable on these claims were they to be litigated. Currently, we can only reasonably estimate a loss associated with settlements of the networks' expected claims for non-ordinary course operating expenses. The year-end accrual does not include any amounts associated with the networks' expected claims for alleged incremental counterfeit fraud losses because the loss associated with settling such claims, while probable in our judgment, is not reasonably estimable, in part because we have not yet received third-party fraud reporting from the payment card networks. We are not able to reasonably estimate a range of possible losses in excess of the year-end accrual related to the expected settlement of the payment card networks’ claims because the investigation into the matter is ongoing and there are significant factual and legal issues to be resolved. We believe that it is reasonably possible that the ultimate amount paid on payment card network claims could be material to our results of operations in future periods.
Litigation and Governmental Investigations
In addition, more than 80 actions have been filed in courts in many states and other claims have been or may be asserted against us on behalf of guests, payment card issuing banks, shareholders or others seeking damages or other related relief, allegedly arising out of the Data Breach. State and federal agencies, including the State Attorneys General, the Federal Trade Commission and the SEC are investigating events related to the Data Breach, including how it occurred, its consequences and our responses. Although we are cooperating in these investigations, we may be subject to fines or other obligations. While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses because our investigation into the matter is ongoing, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. Further, we do not believe that a loss from these matters is probable; therefore, we have not recorded a loss contingency liability for litigation, claims and governmental investigations in 2013. We will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable.
Future Costs
We expect to incur significant investigation, legal and professional services expenses associated with the Data Breach in future periods. We will recognize these expenses as services are received. We also expect to incur additional expenses associated with incremental fraud and reissuance costs on Target REDcards.
Insurance Coverage
To limit our exposure to Data Breach losses, we maintain $100 million of network-security insurance coverage, above a $10 million deductible. This coverage and certain other insurance coverage may reduce our exposure. We will pursue recoveries to the maximum extent available under the policies. As of February 1, 2014, we have recorded a $44 million receivable for costs we believe are reimbursable and probable of recovery under our insurance coverage, which partially offsets the $61 million of expense relating to the Data Breach.
Other Contingencies
We are exposed to other claims and litigation arising in the ordinary course of business and use various methods to resolve these matters in a manner that we believe serves the best interest of our shareholders and other constituents. We believe the recorded reserves in our consolidated financial statements are adequate in light of the probable and estimable liabilities. We do not believe that any of these identified claims or litigation will be material to our results of operations, cash flows or financial condition.
Commitments
Purchase obligations, which include all legally binding contracts such as firm commitments for inventory purchases, merchandise royalties, equipment purchases, marketing-related contracts, software acquisition/license commitments and service contracts, were $1,317 million and $1,472 million at February 1, 2014 and February 2, 2013, respectively. These purchase obligations are primarily due within three years and recorded as liabilities when inventory is received. We issue inventory purchase orders, which represent authorizations to purchase that are cancelable by their terms. We do not consider purchase orders to be firm inventory commitments. If we choose to cancel a purchase order, we may be obligated to reimburse the vendor for unrecoverable outlays incurred prior to cancellation. Real estate obligations, which include commitments for the purchase, construction or remodeling of real estate and facilities, were $449 million and $1,128 million at February 1, 2014 and February 2, 2013, respectively. These real estate obligations are primarily due within one year, a portion of which are recorded as liabilities.
We issue letters of credit and surety bonds in the ordinary course of business. Trade letters of credit totaled $1,441 million and $1,539 million at February 1, 2014 and February 2, 2013, respectively, a portion of which are reflected in accounts payable. Standby letters of credit and surety bonds, relating primarily to insurance and regulatory requirements, totaled $500 million and $486 million at February 1, 2014 and February 2, 2013, respectively.