On March 8, 2016, the United States District Court for the Northern District of
Georgia preliminarily approved a proposed $19.5 million settlement of a class
action lawsuit against Home Depot, stemming from the 2014 cyber-attack against
the company. See Order Certifying a Settlement Class, Preliminarily Approving
Class Action Settlement and Directing Notice to the Settlement Class, In re The
Home Depot, Inc., Customer Data Security Litigation, No. 1:14-md- 02583-TWT
(N.D. Ga. Mar. 8, 2016) (Dkt. 185). The attack, which used the stolen
credentials of a third-party vendor, compromised approximately 53 million email
addresses and 56 million credit card accounts.
the proposed settlement, Home Depot would create a $13 million fund to
reimburse its affected customers for certain out-of-pocket expenses. An
additional $6.5 million would fund 18 months of identity protection services
for affected customers.
settlement represents a shrewd balancing by both sides of the likely legal
costs to continue litigation against the likelihood of a judgment for the
plaintiffs. Home Depot has a pending motion to dismiss, and other large
retailers have traditionally been successful at challenging plaintiffs' standing
in data breach claims. Such challenges are based upon the plaintiffs' inability
to show any compensable harm. Even if customers are the victims of credit card
fraud following a hack, they are typically reimbursed by their bank. However,
even if Home Depot succeeded in dismissing or otherwise narrowing the
plaintiffs' claims, the litigation required to do so would be very expensive.
Both Home Depot and plaintiffs' counsel apparently concluded that the costs of continuing
the litigation, combined with the potential for liability, outweighed the
decision appears justified in the context of other recent data breach cases. In
March 2015, for example, Target agreed to settle largely similar claims for $10
million, stemming from a 2013 data breach that compromised the financial
information of 40 million customers. See Order Certifying A Settlement Class,
Preliminarily Approving Class Action Settlement and Directing Notice to the
Settlement Class, In re Target Corp. Consumer Data Security Breach Litig., MDL No.
14-2522 (D. Minn. Mar. 19, 2015) (Dkt. 364). However, that settlement came
after most of the plaintiffs' claims survived Target's motion to dismiss.
Assuming that Target's legal fees in litigating the case up to that point were
similar to the Home Depot plaintiffs' counsel's fees -- $6.75 million -- the
overall cost to Target is comparable to the overall cost to Home Depot to
settle its suit.
forward, observers will likely see more settlements for data breach claims
early in the pleadings stage. Corporations that fall victim to similar hacking
attacks should carefully weigh the costs of an early settlement against the
legal expenses of protracted litigation.