As a result of a $25 million settlement reached with the remaining banks and credit unions, the litigation against Home Depot stemming from its 2014 data breach will finally end.
In September 2014, Home Depot announced that its payment data systems had been breached. An investigation revealed that hackers placed malware on the self-checkout kiosks in stores nationwide, allowing the theft of customers' personal financial information, including names, payment card numbers, expiration dates, and security codes. The stolen information—estimated in the range of 56 million credit and debit card numbers—was then sold over the Internet.
As a result, financial institutions cancelled accounts and reissued the compromised payment cards, reimbursed their customers for fraudulent transactions, and incurred other expenses. More than 25 class action lawsuits were filed against Home Depot by financial institutions alleging that the company's failure to institute adequate data security measures caused their losses.
The litigation was consolidated and after some motions and discovery, the parties managed to reach a deal.
Pursuant to the settlement, Home Depot promised to pay $25 million into a non-reversionary fund to be distributed to class members, which included banks and credit unions in the United States that issued any payment card identified as having been at risk as a result of the data breach and that did not release their claims. Class members that file a valid claim will receive a "fixed payment award" estimated to be $2 per compromised card, without having to prove their losses and regardless of the amount of compensation they already have received from another source.
Those class members that submit proof of their losses and the compensation they already received, if any, are eligible for an additional "documented damages award" from the fund of up to 60 percent of their uncompensated losses from the data breach.
Home Depot previously obtained releases from some MasterCard and Visa issuers, paying out $14.5 million in premiums on top of more than $140 million in payments to the larger issuers under the card brand recovery processes.
A separate $2.25 million will be provided by Home Depot to sponsored entities whose claims were released by their sponsor in connection with MasterCard's Account Data Compromise program. Eligible entities will be entitled to $2 per compromised card.
In addition to the monetary payment, Home Depot agreed to implement new data security measures. For a period of at least two years, the company will "design and implement reasonable safeguards to manage the risks identified through its data security risk assessments," tracking and managing its assessments utilizing a risk exception process involving Home Depot leadership and reviewed on a periodic basis.
The company will implement an appropriate industry recognized security control framework and develop and use reasonable steps to select and retain information technology vendors capable of maintaining appropriate security, conducting assessments to ensure that vendors with access to payment card information comply with Home Depot's security practices.
Home Depot also accepted responsibility for the costs of settlement administration and class counsel fees separate from the settlement fund.
Arguing in support of granting preliminary approval of the deal, the plaintiffs said the terms were within reason and compared favorably with settlements in similar data breach cases.
To read the memorandum of law in support of the plaintiffs' unopposed motion for preliminary approval of class action settlement in In re: The Home Depot, Inc., Customer Data Security Breach Litigation, click here.
U.S. District Court Judge Thomas W. Thrash granted preliminary approval to the deal. A final hearing on the settlement is set for September.
Why it matters
Aside from the settlement confirming a consistent level of potential financial recoveries for banks refusing to accept the amounts recoverable through the Card Networks, the obligation to implement new security measures—while not unexpected after a breach—also establishes a precedent as to commitments that may be expected of merchants in future cases.