Home Depot has agreed to pay more than $25 million to settle a class action lawsuit brought by banks and credit unions stemming from the store’s 2014 data breach. Home Depot previously settled with credit card issuers and some financial institutions, but other banks filed a separate lawsuit to recoup their costs of reissuing debit and credit cards and other losses. This is one of the more successful settlements in data breach litigation and demonstrates that such litigation may be a useful way for banks to recoup losses.
Several banks and credit unions filed this lawsuit against Home Depot to recover the costs of notifying customers and reissuing debit and credit cards after Home Depot’s massive data breach. As I wrote in a post last year, the court rejected Home Depot’s attempt to have the lawsuit dismissed, concluding that Home Depot could be held responsible for failing to institute proper safeguards to protect customer data. Home Depot has now agreed to settle the lawsuit and to pay settlement funds to banks and credit unions that file claims. Banks will be entitled to either (a) $2 per compromised card without having to submit documentation; or (b) 60% of their total loss if they submit proper documentation. Any bank that does not like the proposed settlement has the ability to object to it or opt out of the settlement to pursue its own damages.
Like the Target data breach settlement, this settlement illustrates that banks may be able to recover losses from retailers following a data breach. Although the settlement amount is significantly less than the estimated $8 per card that banks lose in the event of a data breach, it represents some compensation for banks that usually bear the brunt of the losses in data breaches. As always, banks should consult with their legal counsel to determine how to proceed when they lose money as a result of a data breach.