Financial Institutions rarely wear the "plaintiff hat" when it comes to class action proceedings. However, 50 financial institutions in the US found themselves on the other side of the negotiating table in 2014 when they launched 25 class actions against Home Depot in response to the massive breach of the retailer's payment data systems, which compromised 56 million credit and debit cards. These individual actions were eventually consolidated into a single complaint.
In a proposed settlement submitted for preliminary approval to the Georgia federal court on March 8, 2017, Home Depot has agreed to implement new data security measures going forward and pay $25 million into a non-revisionary fund for distribution to financial institutions that have not already released their claims. In addition, certain financial institutions who were persuaded to release their claims against Home Depot after receiving misleading communications from the retailer would also receive up to $2.25 million.
The privacy breach occurred when cyber hackers installed malware onto Home Depot's self-checkout kiosks around the US in order to obtain customers' personal financial information, including full names, card numbers and other security credentials. The hackers sold this sensitive information to thieves over the internet, resulting in a massive number of fraudulent transactions. While consumers impacted by the breach launched a separate class action to recover their personal losses, the financial institutions sought to recover the substantial costs they incurred when they were forced to cancel and reissue compromised cards, reimburse customers for any fraudulent charges and other out of pocket expenses.
If the settlement is approved, eligible financial institutions that file a claim to the fund will receive a fixed payment of approximately $2 per compromised card without having to submit documentation to prove their actual loss. Class members that are able to submit proof of losses will be eligible for a supplemental award of up to 60% of their documented losses arising from the data breach.
With the increasing threat posed by cyberattacks, increasing expectations and duties on holders of personal information to implement reasonable cyber security protections and incident response plans, outsourcing of services to common third party suppliers, and use of cloud storage, there may be increasing opportunities for financial institutions to sit at the plaintiff side of the class action table.