Home Depot Agrees to Settle Banks' Data Breach Claims for $27.25 Million | Practical Law

Home Depot Agrees to Settle Banks' Data Breach Claims for $27.25 Million | Practical Law

In In re: The Home Depot, Inc., Customer Data Security Breach Litigation, Home Depot, Inc. agreed to pay $27.25 million to settle claims brought by numerous banks and credit unions for negligence, negligence per se, and violations of various unfair and deceptive trade practices statutes. These financial institutions had to reimburse customers and cancel and reissue compromised payment cards as a result of a data breach Home Depot experienced from April to September 2014. Home Depot also agreed to implement certain data security measures to reduce the risk of a future data breach.

Home Depot Agrees to Settle Banks' Data Breach Claims for $27.25 Million

Practical Law Legal Update w-006-8801 (Approx. 4 pages)

Home Depot Agrees to Settle Banks' Data Breach Claims for $27.25 Million

by Practical Law Intellectual Property & Technology
Law stated as of 10 Oct 2017USA (National/Federal)
In In re: The Home Depot, Inc., Customer Data Security Breach Litigation, Home Depot, Inc. agreed to pay $27.25 million to settle claims brought by numerous banks and credit unions for negligence, negligence per se, and violations of various unfair and deceptive trade practices statutes. These financial institutions had to reimburse customers and cancel and reissue compromised payment cards as a result of a data breach Home Depot experienced from April to September 2014. Home Depot also agreed to implement certain data security measures to reduce the risk of a future data breach.
On September 22, 2017, the US District Court in Northern Georgia issued a final order and judgment approving a settlement in In re: The Home Depot, Inc., Customer Data Security Breach Litigation (No.: 1:14-md-02583-TWT (N.D. Ga. Sept. 22, 2017)). Under the terms of the approved settlement, Home Depot, Inc., agreed to pay $27.25 million to resolve class action claims brought by banks and credit unions alleging violations of common law negligence, negligence per se, and various unfair and deceptive trade practices statutes. These financial institutions issued payment cards to consumers affected by a data breach Home Depot experienced between April and September 2014.
In September 2014, Home Depot released an announcement confirming that its payment data systems had been breached and that the breach potentially impacted customers using payment cards at its US and Canadian stores. The data breach likely resulted in the theft of customers' personal information, including names, payment card numbers, expiration dates, and security codes. As a result of the data breach, financial institutions:
  • Canceled and reissue compromised payment cards to mitigate damage.
  • Reimbursed customers for fraudulent transactions.
  • Incurred other substantial out-of-pocket expenses in responding to the data breach.
Under the settlement agreement, Home Depot agreed to both compensate the financial institutions that have not already released their claims against Home Depot and implement new data security measures for a period of two years following the settlement to reduce the risk of a future data breach.
Home Depot agreed to pay:
  • $25 million into a settlement fund to compensate the financial institutions for damages resulting from the data breach.
  • $2.25 million to certain entities whose claims were released in connection with an account data compromise (ADC) program set up by MasterCard.
Awards from the $25 million settlement fund will be distributed accordingly:
  • A fixed payment award of approximately $2.00 per compromised card for class members that file a valid claim, with no need to prove losses and regardless of any compensation they already received from another source.
  • Class members that submit proof of their losses are also eligible for a documented damages award of up to 60% of their uncompensated losses from the data breach, minus any fixed payment award amount. The documented damages awards will be paid from the money remaining after payment of all fixed payment awards.
Awards related to MasterCard's ADC program will be distributed accordingly:
  • $2.00 per compromised card for eligible sponsored entities that submit a valid claim.
  • If the valid claims exceed the $2.25 million cap, actual payments will be reduced pro rata so that the cap is not exceeded.
  • If the valid claims are less than $2.25 million, Home Depot only needs to pay the amount of the valid claims.
Home Depot also agreed to implement data security measures for its US stores for two years following the settlement. Security measures include:
  • Designing and implementing reasonable safeguards to manage the risks identified through its data security risk assessments and tracking and managing its data security risk assessments using a risk exception process that involves Home Depot's leadership. Home Depot must review the risk exception process annually.
  • Developing and using reasonable steps to select and retain information technology service providers and other vendors capable of maintaining and conducting appropriate assessments to ensure that vendors having access to payment card information comply with Home Depot's security practices.
  • Implementing an appropriate industry recognized security control framework.
In addition to this settlement agreement, Home Depot has previously negotiated settlements with American Express, Discover, and Visa and agreed to a $19.5 million settlement to compensate US consumers harmed by the 2014 data breach.