Home Depot Cybersecurity Settlement Sets Model for Resolving Data Breach Claims


HHR Advisories & Publications

On March 8, 2016, the United States District Court for the Northern District of Georgia preliminarily approved a proposed $19.5 million settlement of a class action lawsuit against Home Depot, stemming from the 2014 cyber-attack against the company. See Order Certifying a Settlement Class, Preliminarily Approving Class Action Settlement and Directing Notice to the Settlement Class, In re The Home Depot, Inc., Customer Data Security Litigation, No. 1:14-md- 02583-TWT (N.D. Ga. Mar. 8, 2016) (Dkt. 185). The attack, which used the stolen credentials of a third-party vendor, compromised approximately 53 million email addresses and 56 million credit card accounts.

Under the proposed settlement, Home Depot would create a $13 million fund to reimburse its affected customers for certain out-of-pocket expenses. An additional $6.5 million would fund 18 months of identity protection services for affected customers.

The settlement represents a shrewd balancing by both sides of the likely legal costs to continue litigation against the likelihood of a judgment for the plaintiffs. Home Depot has a pending motion to dismiss, and other large retailers have traditionally been successful at challenging plaintiffs' standing in data breach claims. Such challenges are based upon the plaintiffs' inability to show any compensable harm. Even if customers are the victims of credit card fraud following a hack, they are typically reimbursed by their bank. However, even if Home Depot succeeded in dismissing or otherwise narrowing the plaintiffs' claims, the litigation required to do so would be very expensive. Both Home Depot and plaintiffs' counsel apparently concluded that the costs of continuing the litigation, combined with the potential for liability, outweighed the settlement amount.

This decision appears justified in the context of other recent data breach cases. In March 2015, for example, Target agreed to settle largely similar claims for $10 million, stemming from a 2013 data breach that compromised the financial information of 40 million customers. See Order Certifying A Settlement Class, Preliminarily Approving Class Action Settlement and Directing Notice to the Settlement Class, In re Target Corp. Consumer Data Security Breach Litig., MDL No. 14-2522 (D. Minn. Mar. 19, 2015) (Dkt. 364). However, that settlement came after most of the plaintiffs' claims survived Target's motion to dismiss. Assuming that Target's legal fees in litigating the case up to that point were similar to the Home Depot plaintiffs' counsel's fees -- $6.75 million -- the overall cost to Target is comparable to the overall cost to Home Depot to settle its suit.

Going forward, observers will likely see more settlements for data breach claims early in the pleadings stage. Corporations that fall victim to similar hacking attacks should carefully weigh the costs of an early settlement against the legal expenses of protracted litigation.