Cyber + Information Legal + Regulatory

Home Depot Cybersecurity Settlement Sets Model For Resolving Data Breach Claims

April 7, 2016
By Dennis S. Klein, Jeffrey B. Goldberg, Tyler Grove, Hughes Hubbard & Reed LLP

On March 8, 2016, the United States District Court for the Northern District of Georgia preliminarily approved a proposed $19.5 million settlement of a class action lawsuit against Home Depot, stemming from the 2014 cyber-attack against the company. See Order Certifying a Settlement Class, Preliminarily Approving Class Action Settlement and Directing Notice to the Settlement Class, In re The Home Depot, Inc., Customer Data Security Litigation, No. 1:14-md- 02583-TWT (N.D. Ga. Mar. 8, 2016) (Dkt. 185). The attack, which used the stolen credentials of a third-party vendor, compromised approximately 53 million email addresses and 56 million credit card accounts.

Under the proposed settlement, Home Depot would create a $13 million fund to reimburse its affected customers for certain out-of-pocket expenses. An additional $6.5 million would fund 18 months of identity protection services for affected customers.

The settlement represents a shrewd balancing by both sides of the likely legal costs to continue litigation against the likelihood of a judgment for the plaintiffs. Home Depot has a pending motion to dismiss, and other large retailers have traditionally been successful at challenging plaintiffs’ standing in data breach claims. Such challenges are based upon the plaintiffs’ inability to show any compensable harm. Even if customers are the victims of credit card fraud following a hack, they are typically reimbursed by their bank. However, even if Home Depot succeeded in dismissing or otherwise narrowing the plaintiffs’ claims, the litigation required to do so would be very expensive. Both Home Depot and plaintiffs’ counsel apparently concluded that the costs of continuing the litigation, combined with the potential for liability, outweighed the settlement amount.

 

Read the full article, “Home Depot Cybersecurity Settlement Sets Model For Resolving Data Breach Claims,” published April 6, 2016.