Home Depot Mandated to Pay $25 Million Over Data BreachMar 14, 2017
Banks' Data Breach Alleges Home Depot Compromised 56 Million Card Numbers
The Home Depot has just agreed to pay $25 million and to make its data security practices more stringent to resolve a putative class action that was brought against it by financial institutions following a 2014 data breach that compromised 56 million credit and debit card numbers; this, according to documents filed in Georgia federal court. The multidistrict litigation (MDL) is In Re: The Home Depot Inc., Customer Data Security Breach Litigation, case number 1:14-md-02583, in the U.S. District Court for the Northern District of Georgia.
The product liability attorneys at Parker Waichman LLP have decades of experience representing consumers in class action lawsuits. The firm continues to offer free legal consultations to individuals with questions about filing a data breach class action lawsuit.
A memorandum supporting the financial institutions' unopposed motion for preliminary approval of the proposed settlement indicated that the parties "after several years of contentious litigation" reached an agreement that would mandate the Home Depot to pay $25 million into a non-revisionary fund. Monies from the fund are to be distributed to financial institutions that have not already released their claims against the retailer for losses due to the payment card data breach, according to Law360.
Financial institutions that file a valid claim are eligible to receive a fixed payment that is estimated to be $2 per compromised card. The institutions will not have to submit documentation of losses and regardless of if compensation has been received from another source, according to the agreement, Law360 reported. Class members that submit proof of losses also eligible for a supplemental award of up to 60 percent of their documented, uncompensated losses from the data breach, the plaintiffs noted.
The Home Depot also agreed to pay up to $2.225 million to those institutions whose claims were released by a sponsor—for instance, a card processor—associated with the card brand recovery program that was provided by MasterCard. To date, Home Depot has paid approximately $14.5 million in premiums to MasterCard and Visa issuers in exchange for releases. The plaintiffs challenged if the releases made regarding the MasterCard program are valid, noting that the sponsors did not have the authority to enter into them and also pointed out that communications sent to the sponsored entities were both misleading and coercive, Law360 wrote.
The president and CEO of one of the plaintiffs, the Credit Union National Association (CUNA), Jim Nussle, said that, "Credit unions and their members have unfortunately borne the brunt of lax merchant data security standards…. This settlement would be a step toward making them whole again." He added that the pact, which follows Home Depot's agreement in March 2016 to pay over $13 million and implement fund identity protection services and new data security measures to settle a putative class of consumers' claims over the breach, "represents one of the better outcomes in data breach litigation." CUNA also indicated its research into the data breach revealed that the intrusion cost credit unions alone some $60 million, according to Law360.
The settlement also requires that Home Depot "implement enhanced security measures to reduce the risk of a future data breach," and pay the costs of notice to eligible financial institutions and attorneys' fees. No agreement was made concerning the amount of attorneys' fees; however, the Class will be advised that counsel may request up to $18 million, which is less than 30 percent of the total $25 million settlement fund, the $2.25 million for sponsored entities, the $14.5 million in premiums paid as part of the card brand recovery processes and other costs and fees, according to the agreement Law360 reported.
Home Depot also agreed to finance a service award of up to $2,500 for every financial institution named in the consolidated class action complaint, according to the agreement noted, which includes 50 financial institutions from 44 states, 16 state credit union associations, and CUNA, noted Law360. "We're hopeful credit unions will see more victories in data breach suits going forward," Nussle said, adding that, "CUNA will continue pursuing a legislative solution that will result in stricter merchant data security standards, making it much harder for merchants to compromise payment card information."
Dozens of banks and credit unions brought 25 class actions against Home Depot actions after the retailer confirmed in 2014 that hackers placed malware on its self-checkout kiosks in stores nationwide. This allowed the hackers to rob some 56 million customers' personal financial information such as names, payment card numbers, expiration dates, and security codes. The financial institutions' cases were consolidated in December 2014 over allegations that the breach was "the inevitable result" of Home Depot's data-security practices that were "characterized by neglect, incompetence, and an overarching desire to minimize costs." The financial institutions alleged that Home Depot ignored warnings, expert opinions, employee warnings, and industry standards in its ongoing refusal to upgrade security. Allegations included that losses from the fraud totaled in the billions.
In May, U.S. District Judge Thomas Thrash Jr. allowed the majority of the claims to remain, saying that they had pled actual injuries that gave them standing. In July, Home Depot asked the district court to certify that ruling for interlocutory appeal to the Eleventh Circuit, arguing that the decision raised at least six new questions of law that would benefit from immediate resolution. These included if the financial institutions had Article III standing to assert claims arising from a data breach, if the retailers owe banks a duty to protect against third-party criminal hacks, and if financial institutions are able to bring a negligence claim premised on an alleged violation of Section 5 of the Federal Trade Commission (FTC) Act. The motion remains pending.
Yahoo Data Breaches
Other breaches have made headlines. For example, Yahoo disclosed two massive data breaches in 2016. One announced in September 2016 involved hackers stealing data from 500 million users in 2014. In December 2016, Yahoo announced that over one billion accounts were hacked in another cyber attack in 2013. The Securities and Exchange Commission (SEC) is reviewing the issues, according to BGR.com and, according to what Yahoo disclosed, to date, 43 consumer class action lawsuits have been filed due to the various data breaches.
In February 2017, another Yahoo data breach was revealed and was the third breach in just several months. Yahoo claims that the third disclosure is not new and had been disclosed in October 2015. In fact, Yahoo only mentioned the breach in a Security Exchange Commission (SEC) filing that most people had probably not read. Also, this was an atypical breach. According to BGR.com, the hackers did not simply access servers and steal data, the hackers penetrated accounts without accessing passwords. Also, while Yahoo disclosed a cyber attack in 2016, it only revealed that 32 million accounts may have been affected. The two prior Yahoo attacks impacted more than one billion Yahoo users. According to Reuters the newest disclosures were made in Yahoo's latest SEC 10-K filing.
According to The Associated Press, "Yahoo's handling and disclosure of the breaches is also under investigation by the Securities and Exchange Commission and the Federal Trade Commission. The Sunnyvale, California, company says it has spent $16 million investigating the breaches and covering the legal expenses so far."
Filing a Class Action Lawsuit
If you or someone you know is interested in filing a class action lawsuit, contact Parker Waichman today. Our experienced product liability attorneys offer free, no-obligation case evaluations. For more information, fill out our online form or call 1-800-YOURLAWYER (1-800-968-7529).