When a retailer is hit by a major data breach—such as the one that befell Home Depot in 2014 and resulted in some 56 million credit and debit card numbers being compromised—there is a tendency to focus on the possible consumer class action lawsuits and regulatory enforcement actions that will likely follow.
However, companies may also face significant liability relating to litigation with the financial institutions that actually processed transactions utilizing the stolen information, after which, these financial institutions end up reimbursing customers for the amounts improperly billed to their accounts. The Home Depot breach is a reminder that it is imperative for retailers to be keenly aware of their potential exposure to these financial institutions so they can manage the risk accordingly.
After engaging in years of contentious litigation with a class of financial institutions relating to the 2014 data breach, on March 8, 2017, Home Depot agreed to pay $25 million into a non-reversionary settlement fund that will be distributed to those financial institutions that had not previously released their claims. This $25 million is in addition to the approximately $14.5 million Home Depot has already paid in premiums to MasterCard and Visa (in exchange for a release of claims) and its agreement to pay up to $2.225 million to those financial institutions whose claims were released by a sponsor (i.e., a card processor) related to a brand recovery program that was managed by MasterCard.
Home Depot has additionally agreed to implement enhanced security measures to reduce the risk of a future data breach and to pay the cost of providing notice to eligible financial institutions. Finally, Home Depot has agreed to play the class’s attorneys’ fees. Although no agreement has been reached regarding the attorneys’ fees amount, class counsel for the financial institutions is expected to request upwards of $18 million, and litigation over the proper amount of attorneys’ fees could itself take years of litigation to resolve.
The Home Depot data breach is yet another cautionary tale of what can happen when a company does not have proper data security measures in place. Furthermore, the proposed settlement goes to show that in addition to owing millions of dollars to consumers affected by data breaches, retailers face significant exposure to the financial institutions that process the transactions that utilized the stolen data.
While it would be unreasonable to believe that a company can put safety measures in place that will make it impossible for a data breach to occur, strong preventative measures are imperative not only to attempt to prevent data breaches from happening, but also, if a data breach does occur, these measures will allow a company to be better situated to defend itself against after-the-fact allegations that its preventative measures were insufficient.
Finally, as with all aspects of a business’s risk management, it is important to have a comprehensive insurance program in place that specifically protects against data breaches. While companies traditionally sought coverage related to data breaches under their commercial general liability (CGL) policies, most insurers have responded by endorsing their CGL policies with exclusions for losses related to data breaches. As a result, a new market for policies providing coverage for data breaches has emerged. Companies must make sure that their data breach coverage is wholesome and up-to-date, or else they could be facing liability from all angles, as evidenced by the Home Depot data breach.