More than a year and a half ago, Home Depot announced that it had been a victim of one of the largest data breaches in U.S. history. Media outlets reported that the breach had affected Home Depot’s customers who had made purchases using the company’s self-checkout terminals. The hackers had used a third-party vendor’s username and password to infiltrate Home Depot’s network and install a malware that allowed the criminals to access shoppers’ payment and contact information for a period of five months. According to reports from the media and the company, the hackers gained access to 56 million credit and debit cards and obtained 53 million email addresses.
With the benefit of time, what have been the consequences for Home Depot?
Unsurprisingly, one of the major fallouts from the data breach has been litigation—lots of it and from different plaintiffs. There are currently three tracks of lawsuits proceeding against Home Depot. First, in November 2014, consumers began to file suit, and more than forty-four of them were ultimately consolidated in the Northern District of Georgia. The good news for Home Depot is that its legal fight with consumers appears to be coming to an end. Last month, the Court approved a preliminary settlement in which Home Depot agreed to create a $13 million settlement fund to reimburse the class and agreed to spend up to $6.5 million to fund eighteen months of cardholder identity protection services. In addition, Home Depot agreed to provide increased data security measures for a period of two years.
Second, in May 2015, a group of banks and credit unions filed a consolidated class action complaint against Home Depot, asserting claims for negligence. The financial institutions alleged that Home Depot’s data breach caused them to cancel and re-issue millions of credit and debit cards, and they estimated that they paid $150 million in reissuance costs alone. Home Depot has moved to dismiss these claims on Article III standing grounds. Interestingly, Home Depot settled with the consumer class before the court ruled on a similar motion in that case. Time will tell whether the court is given an opportunity to decide the motion in the context of financial institutions.
Third, as we have previously reported, in August 2015, shareholders filed a derivative suit against Home Depot and twelve of its officers and directors. The shareholders claim that Home Depot and the individual defendants breached their fiduciary duties by failing to ensure that Home Depot took reasonable steps to protect consumers’ personal and financial information. Several weeks ago, Home Depot filed a motion to dismiss in that case, largely arguing that the shareholders’ claims fail because they had not complied with pre-suit demand obligations. The motion has not yet been fully briefed.
Besides the expense and distraction of litigation, Home Depot announced in its recent 10-K that it had recorded $161 million of pretax expenses, net of expected insurance and recoveries, in connection with the breach itself. While $161 million is a huge sum of money, it could be worse. Last year, Forbes estimated that the Home Depot would incur $10 billion in costs related to the breach by the end of the decade.
But the news isn’t all bad. Numerous media outlets have reported that Home Depot’s stock didn’t suffer in the wake of the data breach. While some commentators have attributed Home Depot’s stock’s performance to data breach fatigue, it could be because the company reacted to the breach with candor and transparency. Home Depot was relatively upfront with consumers about the breach. Target was not as candid with consumers, and its stock prices tumbled after its data breach even though Target’s breach affected fewer customers than Home Depot’s.
So, what are the takeaways?
- Data breaches have far-reaching consequences to the victim company.
- The out-of-pocket costs to deal with a breach may be enormous—even if a company has insurance (as Home Depot appeared to).
- Litigation may follow from numerous parties including customers, vendors, counterparties, and shareholders.
- A victim company’s immediate response to a breach is critical. In the case of Home Depot, a candid response may have bolstered the company’s stock prices.
Given the far-reaching consequences that may flow from a breach, a company should begin preparing for a breach before it is faced with a data security emergency. Issues that require serious consideration are:
- Does your company have adequate cybersecurity insurance?
- Has your company mapped the types and locations of sensitive information?
- Has your company conducted a cybersecurity audit?
- Does your company have an incident response plan?
- Has your company tested its preparedness for a breach by conducting a tabletop exercise?
- Will your company be prepared to develop a crisis communications plan following a breach, and will your company have the ability to assert the attorney-client privilege over its communications with a public-relations firm?
- Is your company compliant with industry regulators’ cybersecurity rules? Is your company abreast of regulators’ latest proposed rules?