Home Depot has agreed to resolve a putative class action brought against it by financial institutions with a proposed $25 million settlement and a promise to strengthen its data security practices following a monumental data breach responsible for compromising nearly 56 million credit and debit card numbers in 2014.
According to a memorandum in support of its preliminary approval, the proposed settlement claims the money would be required to go into a non-revisionary fund for distribution to financial institutions that have not already released their claims against Home Depot for losses linked to the massive cyberattack. An additional settlement up to $2.225 million would be for institutions with claims released by a sponsor, such as a card processor, in relation to a card brand recovery program available through MasterCard.
“Credit unions and their members have unfortunately borne the brunt of lax merchant data security standards,” Jim Nussle, president/CEO of the Credit Union National Association (CUNA) and a plaintiff in the class action, told Law360 in a statement announcing the settlement. “This settlement would be a step toward making them whole again.”
As for strengthening its data security, the settlement will require Home Depot to “implement enhanced security measures to reduce the risk of a future data,” as well as pay the costs of notice to any eligible financial institutions and attorneys’ fees.
Lastly, the proposed settlement agreement states Home Depot must finance a service award of up to $2,500 for each of the 50 financial institutions, including 16 state credit union associations and CUNA, listed as plaintiffs in the consolidated class action complaint.
“We’re hopeful credit unions will see more victories in data breach suits going forward,” Nussle said to Law360, adding that in the meantime, “CUNA will continue pursuing a legislative solution that will result in stricter merchant data security standards, making it much harder for merchants to compromise payment card information.”
The Home Depot data breach occurred in December 2014 when hackers managed to install malware on the company’s self-checkout kiosks around the nation. The scheme worked and allowed the hackers to get away with approximately 56 million Home Depot customers’ personal financial information, such as full names, card numbers, expiration dates and security credentials.
Dee Miles, head of Beasley Allen’s Consumer Fraud section, was appointed to the Plaintiffs Steering Committee (PSC) for the multidistrict litigation (MDL) surrounding the Home Depot data breach back in 2015. Miles’ leadership experience with similar class actions ranges from the Target data breach MDL to the BP oil spill MDL.
“This is very important litigation that exposes the critical flaws in the way credit and debit card systems operate in the United States,” Miles said. “Because Home Depot failed to maintain adequate computer data security, it exposed millions of people to the risk of fraud and identity theft, and violated their privacy rights. Unless something is fundamentally changed, consumers will continue to be at risk.”