Target-logo-dailyTwo years after one of the largest data breaches in retail history was discovered, Target settled a class action lawsuit with financial institutions for $39.4 million. The proposed settlement will apply to all U.S. financial institutions that issued payment cards put at risk as a result of the data breach. The preliminary settlement filed on Wednesday resolves class-action claims by lenders seeking to hold Target responsible for their costs to reimburse fraudulent charges and issue new credit and debit cards.

“Financial institutions should not always have to bear the burden of extensive costs related to merchant data breaches over which they have no control,” the plaintiffs’ lawyers Charles Zimmerman and Karl Cambronne said in a joint statement as reported by Reuters.

Target has said at least 40 million credit cards were compromised in the breach, and that as many as 110 million people may have suffered the theft of personal information such as email addresses and phone numbers. The settlement pays $20 million to financial institutions and $19 million to MasterCard for its Account Data Compromise program.

The final approval hearing is set for May 10, 2016. The League and CUNA continue to push Congress to pass stricter data security laws that hold merchants accountable. H.R. 2205, the Data Security Act, is expected to be marked up next week by the House Financial Services Committee. You can read more analysis of the settlement from Reuters.