Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

<b><i>Online Extra:</b></i> Home Depot to Pay $13 Million to Settle Consumers' Data Breach Case

By R. Robin McDonald
March 31, 2016

The Home Depot will pay $13 million to resolve claims by customers whose personal information was exposed to hackers during a massive data security breach in 2014.

The settlement agreement, filed in March in U.S. District Court in Atlanta, would certify a class of Home Depot customers to include all U.S. residents whose personal information was compromised after they used payment cards at self-checkout lanes at U.S. Home Depot stores between April 10, 2014, and Sept. 13, 2014, according to court papers.

Home Depot has said that the breach ' which exposed customers' payment card account numbers, expiration dates and cardholder names'affected as many as 56 million customers. Lawyers from nine law firms that were members of a steering committee shepherding the multidistrict litigation, including former Georgia Gov. Roy Barnes, on Monday asked U.S. District Chief Judge Thomas Thrash Jr. to grant preliminary approval of the settlement and certify the consumer class. Barnes is liaison counsel for the consumers.

The agreement says Home Depot will also pay reasonable legal fees, costs and expenses, up to $8,475,000 in fees and legal costs and expenses that do not exceed $300,000.

King & Spalding represented Home Depot. Company spokesman Stephen Holmes said that settling the case was the most expeditious path to 'put the litigation behind us,' adding that the settlement was not an admission of liability.'Home Depot customers, he said, were not held responsible for any fraudulent charges made against their accounts.' And although he acknowledged that customers' credit card numbers were exposed, he said that Home Depot has no evidence that customers' PIN numbers'were compromised. '

Barnes and partner John Bevis were not available for comment.

The $13 million settlement fund will compensate class members for out-of-pocket losses, unreimbursed charges and other substantiated losses, up to a maximum of $10,000. Class members may also submit claims with supporting documentation to receive reimbursement for up to five hours, at $15 an hour, for time spent remedying issues relating to the data breach, according to settlement documents. Those who cannot separately document their time may self-certify the amount of time they spent without documentation and claim up to two hours at $15 an hour. Home Depot has also agreed to fund 18 months of identity protection for the class members whose payment cards were compromised.

Home Depot also has agreed to implement specific data security measures in its U.S. stores for at least two years. Those measures include creating a chief information security officer; the routine performance of product and data risk assessments; implementing safeguards as a result of those risk assessments; and setting standards for the selection and retention of service providers or vendors whose data security practices are consistent with industry standards.

Home Depot will also provide written notice to store customers disclosing the storage and use of customer information; provide employee education and training regarding customer privacy and security; and implement enhanced security measures at the point of sale. Home Depot also will encrypt all payment card data at the point of sale; and will not retain card security code data, PIN numbers or the full contents of magnetic stripe data for longer than 48 hours.

The settlement includes only Home Depot customers.

Financial institutions that issued credit or debit cards to customers that were compromised by the data breach also have sued Home Depot for damages incurred by the breach. Those cases are still being litigated.

'–'R. Robin McDonald, Daily Report

'

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.