Data Breach

In the fourth quarter of 2013, we experienced a data breach in which an intruder stole certain payment card and other guest information from our network (the Data Breach). Based on our investigation to date, we believe that the intruder installed malware on our point-of-sale system in our U.S. stores and stole payment card data from up to approximately 40 million credit and debit card accounts of guests who shopped at our U.S. stores between November 27 and December 17, 2013. In addition, the intruder stole certain guest information, including names, mailing addresses, phone numbers or email addresses, for up to 70 million individuals.

Payment Card Network Loss Contingencies

In the event of a data breach where payment card data is or may have been stolen, the payment card networks’ contracts purport to give them the ability to make claims for reimbursement of incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred as a result of the event. For us to have liability for such claims, we believe that a court would have to find that, among other things, (1) at the time of the Data Breach the portion of our network that handles payment card data was noncompliant with applicable data security standards in a manner that contributed to the Data Breach, and (2) the network operating rules around reimbursement of operating costs and counterfeit fraud losses are enforceable. While an independent third-party assessor found the portion of our network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, the forensic investigator working on behalf of the payment card networks claimed in first quarter 2014 that we were not in compliance with those standards at the time of the Data Breach.

During the second quarter of 2014, payment card networks composing a substantial portion of impacted payment cards made preliminary written or oral claims against us. We believe it is probable that the remaining payment card networks will also make claims against us. We expect to dispute the claims that have been or may be made against us, and we think it is probable that our disputes would lead to settlement negotiations consistent with the experience of other entities that suffered similar payment card breaches. We believe such negotiations would effect a combined settlement of the payment card networks' counterfeit fraud loss allegations and their non-ordinary course operating expense allegations. Our accruals for estimated probable loss discussed below include what we believe to be the vast majority of both actual and potential claims from the payment card networks.

Litigation and Governmental Investigations

In addition, more than 100 actions have been filed in courts in many states, along with one action in Canada, and other claims have been or may be asserted against us on behalf of guests, payment card issuing banks, shareholders or others seeking damages or other related relief allegedly arising out of the Data Breach. State and federal agencies, including the State Attorneys General, the Federal Trade Commission and the SEC, are investigating events related to the Data Breach, including how it occurred, its consequences and our responses. Our accruals for estimated probable loss discussed below include what we believe to be the vast majority of both actual and potential claims from these matters.

Expenses Incurred and Amounts Accrued



Data Breach Balance Sheet Rollforward (millions)	Liabilities			Insurance receivable
Balance at February 1, 2014	$	61		$	44
Expenses incurred/insurance receivable recorded ^(a)	26			8
Payments made/received	(35		)	(13		)
Balance at May 3, 2014	52			39
Expenses incurred/insurance receivable recorded ^(a)	148			38
Payments made/received	(19		)	(7		)
Balance at August 2, 2014	$	182		$	70

^(a)Includes expenditures and accruals for Data Breach-related costs and expected insurance recoveries as discussed below.

In the second quarter of 2014, we recorded $148 million of pretax Data Breach-related expenses and expected insurance proceeds of $38 million, for net expenses of $111 million. These expenses were included in our Consolidated Statements of Operations as Selling, General and Administrative Expenses (SG&A), but were not part of our segment results. Along with legal and other professional services, these expenses included an increase to the accrual for estimated probable losses for what we believe to be the vast majority of actual and potential breach-related claims, including claims by the payment card networks. Our probable loss estimate is based on the expectation of reaching negotiated settlements, and not on any determination that it is probable we would be found liable for the losses we have accrued were these claims to be litigated. Given the varying stages of claims and related proceedings, and the inherent uncertainty surrounding them, our estimates involve significant judgment and are based on currently available information, historical precedents and an assessment of the validity of certain claims. Our estimates may change as new information becomes available and, although we do not believe it is probable, it is reasonably possible that we may incur a material loss in excess of the amount accrued. We are not able to estimate the amount of such reasonably possible excess loss exposure at this time because many of the matters are in the early stages, alleged damages have not been specified, and there are significant factual and legal issues to be resolved. The accrual does not reflect future breach-related legal, consulting or administrative fees, which are expensed as incurred and not expected to be material to our consolidated financial statements in any individual period.

During the six months ended August 2, 2014, we recorded $175 million of Data Breach-related expenses, partially offset by expected insurance proceeds of $46 million, for net expenses of $129 million. Since the Data Breach, we have incurred $236 million of cumulative expenses, partially offset by expected insurance recoveries of $90 million, for net cumulative expenses of $146 million.

Insurance Coverage

To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks. This coverage, and certain other customary business-insurance coverage, has reduced our exposure related to the Data Breach. We will pursue recoveries to the maximum extent available under the policies. As of August 2, 2014, we have received $20 million from our network-security insurance carriers.