<b><i>Online Extra</b></i> Home Depot Settlement With MasterCard Riles Lawyers For Data Breach Plaintiffs

Some notices required proposed class members to take action by Dec. 2, “without providing even the most basic information regarding the settlement terms,” attorneys said in a motion filed Monday. Some notices said that a failure to act within the time limit would result in an automatic enrollment in the settlement, the plaintiffs' lawyers added.

“What is clear from the timing and substance (or lack thereof) of the communications is that Home Depot, the other parties to the settlement, and those acting in concert with them do not want to make public the full details of the settlement and to provide financial institutions the necessary information to make an informed decision as to whether to participate in the settlement,” the financial institutions' counsel contended.

They have asked U.S. District Chief Judge Thomas Thrash Jr. for an immediate hearing so that Home Depot “can explain its actions,” including “the scope and extent of the communications.” They also asked the judge to limit further communications by Home Depot or its agents with any potential class members. The lawyers have also suggested they may seek further relief, including a possible preliminary injunction to bar Home Depot and anyone acting in concert with the chain from implementing the settlement or enforcing any releases that may have been secured as a result of the notices.

Plaintiffs' counsel also have asked that Home Depot be required to produce a copy of the settlement with MasterCard and any other settlement agreements it may have reached with potential class members, as well as all communications regarding the settlement and a list of all those to whom those communications were sent. By press time, Thrash had not acted on the plaintiffs' motion.

Phyllis Sumner, a partner at King & Spalding and one of a team of attorneys defending The Home Depot, referred our ALM sibling, Daily Report to a company spokesman. Home Depot spokesman Stephen Holmes told the Daily Report that Home Depot was not aware of the letters that were sent last week to potential plaintiffs in the ongoing case and had not asked anyone else to send out the communiques.

Ken Canfield of Doffermyre Shields Canfield & Knowles, co-lead counsel for the financial institutions, declined to comment on the settlement or the pending motion.

Last year, a string of banks, credit unions and customers sued Home Depot, claiming that, collectively, they sustained millions of dollars in damages as a result of the security breach, which exposed the personal payment information of about 56 million customers to computer hackers for at least five months. The complaints contend that a private data security firm retained by Home Depot first notified company executives in July 2014 that Home Depot's malware detection systems were out of date and its customers' personal and financial data were vulnerable to cyberattacks by hackers at its checkout terminals. But the company didn't upgrade its anti-virus software, the suits contend, and never detected the malware in its system.

The Home Depot belatedly went public with the breach last year after chain executives learned that customers' personal and financial data had been posted for sale on a black market website. The chain released a statement saying that the malware associated with the data breach had been purged. The company also announced at the time that it had enhanced the encryption of payment data at the point-of-sale in Home Depot's U.S. stores.

The suits claim the data breach exposed customers' names, credit and debit card numbers, expiration dates, verification numbers and the states and ZIP codes associated with every card transaction in more than 2,000 stores.

The plaintiff banks and credit unions have claimed the data breach generated millions of dollars in costs for refunding any fraudulent charges that resulted, for stopping or blocking payments, notifying customers of the breach, reissuing debit and credit cards and increasing fraud-monitoring efforts.

Last fall, Home Depot and the plaintiffs' lawyers argued over Home Depot's request that the court not to oversee company communications either with potential or absent class members. Home Depot attorneys said that the law allows a defendant or a nonparty to communicate with and to settle with potential class members at any time without court approval before a class is certified ' as long as those communications are neither misleading nor coercive. To limit those communications would violate the corporation's First Amendment rights, Home Depot's lawyers added. Just before Thanksgiving, Home Depot filed a brief asking for a separate court order that would have allowed the chain or its representatives to contact banks with any settlement offer reached separately under the terms of its contracts with the credit card companies with which it did business. Those contracts included procedures that would reimburse the banks for certain overhead expenses and fraudulent charges associated with data breaches.

Plaintiffs' lawyers said said that, although Home Depot lawyers acknowledged last week that settlement discussions were underway with MasterCard, they “failed to disclose that the settlement was imminent, and likely already consummated.”

On the Wednesday before Thanksgiving, third-party payment processors, “evidently acting in concert with Home Depot,” sent e-mail notifications to proposed class members, including those represented by counsel, the plaintiffs' lawyers said.

Those notices announced that Home Depot and MasterCard had reached a settlement over the data breach. Some of those communications stated that “failure to affirmatively opt out of the settlement will result in a release of all claims,” without specifically mentioning the ongoing litigation or telling class members how much they would receive under the settlement terms, the plaintiffs' lawyers said.

Three of those notices, which plaintiffs' lawyers included in their court filings, describe the settlement as a “time-sensitive” offer “in lieu of any other recovery” ' and, the lawyers contend, could be interpreted as a release from liability both for MasterCard and for Home Depot.

“Once a bank clicks through to the form they are asked to fill out, the release language is included in miniscule print at the bottom of the page, where it finally mentions the class litigation, but no detail as to the claims or consequences of exiting the class action,” they said. In addition, “In all cases financial institutions are asked to act quickly without access to the settlement,” the lawyers added in their motion.

The plaintiffs' lawyers also contended that the notices and the truncated deadlines were “likely” to mislead potential class members into believing that the offer “is their best (and perhaps only) avenue for recovery and coerce them to accept the recovery on an expedited basis and without knowledge of critical facts for fear of losing out.”

“The communications suggest that class members who do not participate in the settlement will receive nothing, foregoing money that under MasterCard's regulations they are entitled to receive without releasing their claims against Home Depot,” they added.

“The communications are plainly intended to cause class members to make a rushed decision without the benefit of time and information, gutting the claims in this litigation, and allowing Home Depot to shield itself from liability at the expense of class members' recovery,” they concluded.

Mike McGlamry, a partner with Pope McGlamry Kilpatrick Morrison & Norwood who has represented plaintiffs in class actions and multidistrict cases across the country, told the Daily Report that the settlement notices smack of an attempt by Home Depot to make “an end run” around the ongoing litigation. If the courts permit defendants in potential class action cases to sidestep plaintiffs' counsel and negotiate their own private settlements, he added, “It would essentially destroy class action litigation.”

“You are just undermining the system,” he said. “I would hope the court would force Home Depot to come completely clean and disclose it all.”

McGlamry also suggested that any disclaimers by Home Depot that it didn't send out the settlement notices were “a farce.”

“They had to know in working out the settlement with MasterCard that this was going on,” he said. “They had to approve the notices. MasterCard was not doing it on their own.”

With companies as sophisticated as Home Depot and MasterCard and the lawyers defending them, McGlamry said that any settlement would have been negotiated “down to the last word ' I don't know for a fact whether or not Home Depot and MasterCard reviewed all these notices and settlement documents, but it would be the first time I ever heard somebody did not.”

–'R. Robin McDonald, Daily Report

An apparent settlement between Home Depot and MasterCard International Inc. over a massive customer data breach last year has prompted lawyers for financial institutions that are suing the Atlanta-based home improvement chain for damages caused by hackers to cry foul.

Counsel for the plaintiff banks and credit unions claim that, over the Thanksgiving holiday, without their knowledge, agents of Home Depot sent “highly misleading and coercive communications” offering an apparent settlement to their clients and other potential plaintiffs in the multidistrict litigation. The notices were sent as the presiding judge was still considering whether to allow Home Depot to communicate directly with potential class members without prior screening either by plaintiffs' attorneys or the court.

The notices announced a deal between Home Depot and MasterCard, which is not a plaintiff in the multidistrict litigation.

Some notices required proposed class members to take action by Dec. 2, “without providing even the most basic information regarding the settlement terms,” attorneys said in a motion filed Monday. Some notices said that a failure to act within the time limit would result in an automatic enrollment in the settlement, the plaintiffs' lawyers added.

“What is clear from the timing and substance (or lack thereof) of the communications is that Home Depot, the other parties to the settlement, and those acting in concert with them do not want to make public the full details of the settlement and to provide financial institutions the necessary information to make an informed decision as to whether to participate in the settlement,” the financial institutions' counsel contended.

They have asked U.S. District Chief Judge Thomas Thrash Jr. for an immediate hearing so that Home Depot “can explain its actions,” including “the scope and extent of the communications.” They also asked the judge to limit further communications by Home Depot or its agents with any potential class members. The lawyers have also suggested they may seek further relief, including a possible preliminary injunction to bar Home Depot and anyone acting in concert with the chain from implementing the settlement or enforcing any releases that may have been secured as a result of the notices.

Plaintiffs' counsel also have asked that Home Depot be required to produce a copy of the settlement with MasterCard and any other settlement agreements it may have reached with potential class members, as well as all communications regarding the settlement and a list of all those to whom those communications were sent. By press time, Thrash had not acted on the plaintiffs' motion.

Phyllis Sumner, a partner at King & Spalding and one of a team of attorneys defending The Home Depot, referred our ALM sibling, Daily Report to a company spokesman. Home Depot spokesman Stephen Holmes told the Daily Report that Home Depot was not aware of the letters that were sent last week to potential plaintiffs in the ongoing case and had not asked anyone else to send out the communiques.

Ken Canfield of Doffermyre Shields Canfield & Knowles, co-lead counsel for the financial institutions, declined to comment on the settlement or the pending motion.

Last year, a string of banks, credit unions and customers sued Home Depot, claiming that, collectively, they sustained millions of dollars in damages as a result of the security breach, which exposed the personal payment information of about 56 million customers to computer hackers for at least five months. The complaints contend that a private data security firm retained by Home Depot first notified company executives in July 2014 that Home Depot's malware detection systems were out of date and its customers' personal and financial data were vulnerable to cyberattacks by hackers at its checkout terminals. But the company didn't upgrade its anti-virus software, the suits contend, and never detected the malware in its system.

The Home Depot belatedly went public with the breach last year after chain executives learned that customers' personal and financial data had been posted for sale on a black market website. The chain released a statement saying that the malware associated with the data breach had been purged. The company also announced at the time that it had enhanced the encryption of payment data at the point-of-sale in Home Depot's U.S. stores.

The suits claim the data breach exposed customers' names, credit and debit card numbers, expiration dates, verification numbers and the states and ZIP codes associated with every card transaction in more than 2,000 stores.

The plaintiff banks and credit unions have claimed the data breach generated millions of dollars in costs for refunding any fraudulent charges that resulted, for stopping or blocking payments, notifying customers of the breach, reissuing debit and credit cards and increasing fraud-monitoring efforts.

Last fall, Home Depot and the plaintiffs' lawyers argued over Home Depot's request that the court not to oversee company communications either with potential or absent class members. Home Depot attorneys said that the law allows a defendant or a nonparty to communicate with and to settle with potential class members at any time without court approval before a class is certified ' as long as those communications are neither misleading nor coercive. To limit those communications would violate the corporation's First Amendment rights, Home Depot's lawyers added. Just before Thanksgiving, Home Depot filed a brief asking for a separate court order that would have allowed the chain or its representatives to contact banks with any settlement offer reached separately under the terms of its contracts with the credit card companies with which it did business. Those contracts included procedures that would reimburse the banks for certain overhead expenses and fraudulent charges associated with data breaches.

Plaintiffs' lawyers said said that, although Home Depot lawyers acknowledged last week that settlement discussions were underway with MasterCard, they “failed to disclose that the settlement was imminent, and likely already consummated.”

On the Wednesday before Thanksgiving, third-party payment processors, “evidently acting in concert with Home Depot,” sent e-mail notifications to proposed class members, including those represented by counsel, the plaintiffs' lawyers said.

Those notices announced that Home Depot and MasterCard had reached a settlement over the data breach. Some of those communications stated that “failure to affirmatively opt out of the settlement will result in a release of all claims,” without specifically mentioning the ongoing litigation or telling class members how much they would receive under the settlement terms, the plaintiffs' lawyers said.

Three of those notices, which plaintiffs' lawyers included in their court filings, describe the settlement as a “time-sensitive” offer “in lieu of any other recovery” ' and, the lawyers contend, could be interpreted as a release from liability both for MasterCard and for Home Depot.

“Once a bank clicks through to the form they are asked to fill out, the release language is included in miniscule print at the bottom of the page, where it finally mentions the class litigation, but no detail as to the claims or consequences of exiting the class action,” they said. In addition, “In all cases financial institutions are asked to act quickly without access to the settlement,” the lawyers added in their motion.

The plaintiffs' lawyers also contended that the notices and the truncated deadlines were “likely” to mislead potential class members into believing that the offer “is their best (and perhaps only) avenue for recovery and coerce them to accept the recovery on an expedited basis and without knowledge of critical facts for fear of losing out.”

“The communications suggest that class members who do not participate in the settlement will receive nothing, foregoing money that under MasterCard's regulations they are entitled to receive without releasing their claims against Home Depot,” they added.

“The communications are plainly intended to cause class members to make a rushed decision without the benefit of time and information, gutting the claims in this litigation, and allowing Home Depot to shield itself from liability at the expense of class members' recovery,” they concluded.

Mike McGlamry, a partner with Pope McGlamry Kilpatrick Morrison & Norwood who has represented plaintiffs in class actions and multidistrict cases across the country, told the Daily Report that the settlement notices smack of an attempt by Home Depot to make “an end run” around the ongoing litigation. If the courts permit defendants in potential class action cases to sidestep plaintiffs' counsel and negotiate their own private settlements, he added, “It would essentially destroy class action litigation.”

“You are just undermining the system,” he said. “I would hope the court would force Home Depot to come completely clean and disclose it all.”

McGlamry also suggested that any disclaimers by Home Depot that it didn't send out the settlement notices were “a farce.”

“They had to know in working out the settlement with MasterCard that this was going on,” he said. “They had to approve the notices. MasterCard was not doing it on their own.”

With companies as sophisticated as Home Depot and MasterCard and the lawyers defending them, McGlamry said that any settlement would have been negotiated “down to the last word ' I don't know for a fact whether or not Home Depot and MasterCard reviewed all these notices and settlement documents, but it would be the first time I ever heard somebody did not.”

–'R. Robin McDonald, Daily Report