Home Depot Settles with Financial Institutions for Over $25 Million in Data Breach Case
New filings in the consolidated Home Depot data breach litigation, which we have previously covered on this blog, indicate that Home Depot and the remaining financial institution plaintiffs have reached a settlement.
To briefly recap, back in September 2014, Home Depot announced to the public that its payment data systems had been breached by hackers, who installed malware in store kiosks that allowed them to steal customer financial information. That stolen information was used in massive numbers of fraudulent transactions. Financial institutions were required to cancel and reissue credit and debit cards and reimburse customers for those fraudulent transactions. Customers and financial institutions filed class actions across the country. In December 2014, the cases were centralized by the Judicial Panel on Multidistrict Litigation in federal court in Georgia.
Last year, Home Depot settled with the consumer class for $13 million in cash and $6.5 million of cardholder identity protection services. Over the course of the litigation, Home Depot has also reached settlements with the largest payment card issuers, representing between 70 and 80 percent of cards compromised in the data breach. Those settlements, combined with payments made through the card brands’ normal recovery processes, cost Home Depot more than $140 million. Now, Home Depot has settled with the remaining members of the financial institution class for $25 million, exclusive of attorneys’ fees (which are yet to be determined). Home Depot has also agreed to pay up to $2.25 million to certain entities whose release of their claims had been challenged by plaintiffs for various reasons.
In addition to the financial terms of the settlement, Home Depot has agreed to implement certain data security measures for a period of two years after the settlement agreement is executed. These include “reasonable safeguards to manage the risks, if any, identified through its data security risk assessments,” undefined “reasonable steps to select and retain information technology service providers capable of maintaining [appropriate] security practices,” and “an industry recognized security control framework” to address the risk of future data breaches.
This settlement should resolve all remaining claims in the Home Depot class action, once it receives court approval. We will continue to monitor developments in the case.