Home Depot data breach

Snatching victory of a sort from the jaws of defeat, shareholders who brought a derivative action alleging that the 2014 Home Depot data breach resulted from officers’ and directors’ breaches of fiduciary duties have reached a settlement of those claims.  As previously reported in this blog, that derivative action was dismissed on November 30, 2016.  That dismissal followed on the heels of dismissals of derivative actions alleging management breaches of fiduciary duties in connection with the Wyndham and Target data breaches.  Despite that discouraging precedent, the Home Depot shareholder plaintiffs noticed an appeal from the trial court’s order of dismissal.  The parties subsequently resumed settlement discussions that had broken off in the fall of 2016, on the eve of argument and decision of Home Depot’s motion to dismiss.  On April 28, 2017, the parties submitted a joint motion disclosing and seeking preliminary approval of the proposed settlement.  If approved, the proposed settlement would result in dismissal of the shareholders’ appeal and an exchange of mutual releases, thereby terminating the fiduciary claims arising from the Home Depot data breach. Continue Reading Appeal in Home Depot Data Breach Derivative Action Results in Settlement of Corporate Governance Claims

Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak

An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed.  On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores.  The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target. Continue Reading A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat

Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot.  The cash and noncash terms of the proposed settlement are unexceptional.  What is unusual about this settlement is its timing.  According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided.  The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side.  Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements. Continue Reading Early Settlement of the Home Depot Consumer Data Breach Claims – The Start of a Trend?

To take a step back from our continuing analysis of the situation and developments in Europe,  there are other things going on in the privacy and data security world!   Our October Wednesday Webinar is coming up and we will take a walk on the wild side:  data security litigation.    Registration is open now! Read more – Continue Reading Wednesday Webinar: Tricks, But No Treats – A Halloween Visit to the Frightening World of Data Security Litigation

In its recently-filed motion to dismiss claims of card-issuing banks arising from the September 2014 theft of payment card data from Home Depot point of sale terminals, Home Depot employs an approach typically used to respond to consumer claims.  In payment card data breach cases, defendants typically argue that consumers lack standing to sue because card issuers hold consumers harmless for any fraudulent charges on their credit or debit cards.  Such standing arguments are not ordinarily advanced against the claims of the card-issuing banks that end up paying those bogus charges.  Home Depot, however, argues that the card issuer plaintiffs do not allege sufficient injury to have standing to bring suit in federal court.  In particular, Home Depot maintains that the card issuers’ consolidated complaint, despite listing 68 separate named plaintiffs, does not contain any specific allegations that identify with particularity what losses, if any, those plaintiffs suffered. Only two of the complainants 285 paragraphs allege the harms suffered by card issuers, but both do so without identifying which particular harms alleged had been sustained by any named plaintiffs.  Home Depot argues that the failure to plead the existence of concrete injuries suffered by named plaintiffs is fatal to the card issuers’ complaint.

In addition, Home Depot asserts that alleged losses incurred to avoid potential future harms – such as the cost of issuing new cards – are not cognizable injuries under the Supreme Court’s ruling in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013).  Clapper held that, to be sufficient to confer Article III standing, losses must be “fairly traceable” to a defendant’s purported wrongdoing.  Losses willingly incurred to protect against a possibility of future harm do not suffice.  See id. at 1152-53.  Quoting Clapper, 133 S. Ct. 151, Home Depot contends that the card issuers “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”   Thus, without conceding that other types of losses might confer standing, Home Depot argues that losses directed toward future harms, even if alleged with particularity, would be insufficient as a matter of law to confer Article III standing on the card issuer banks.

A second significant ground on which Home Depot seeks dismissal of the card issuers’ claims is lack of ripeness. This argument is premised on the complex and detailed rules governing the interrelationship between card issuing banks, banks that accept charges made on cards and the card brands that issue the cards.  Each of the card brands establishes a process for resolving claims relating to fraudulent charges made on their cards.  In its brief, Home Depot collectively refers to the ongoing adjudication of data breach claims under those roles as the “Card Brand Recovery Process.”  According to Home Depot, the Card Brand Recovery Process is ongoing and could substantially resolve card issuers’ claims.  At a minimum, Home Depot contends that card issuers would not be entitled to seek recovery in the consolidated federal court lawsuit that is duplicative of amounts awarded through the Card Brand Recovery Process.  Accordingly, Home Depot argues that the card issuers’ claims will not be ripe until the Card Brand Recovery Process has been completed and the extent of their injuries, if any, are then known.

The card brand claim adjudication process has already played a significant role in connection with card issuers’ claims in the consolidated data breach class action against Target.  In that case, Target attempted to obtain a global resolution of the claims of MasterCard-issuing banks through a settlement negotiated with MasterCard under its dispute resolution rubric.  The proposed settlement was conditioned on approval by issuers of at least 90% of the eligible accounts and failed due to lack of support by issuing banks.  Target’s lack of success in using the card brand dispute resolution process to dispose of card issuer claims casts some doubt on whether Home Depot’s ripeness argument, even if accepted, would facilitate a final resolution of claims outside of federal court.  Allowing the Card Brand Recovery Process to continue, however, could reduce the number of outstanding claims and yield more manageable proceedings in federal court.

Home Depot has staked its defense of consumer claims arising from the 2014 theft of payment card data from the home improvement retailer on the asserted absence of injuries sufficient to confer standing to sue.  Because consumers rarely sustain out-of-pocket losses when their payment card numbers are stolen, lack of standing is typically the primary ground for seeking dismissal of consumer data breach claims.  While many courts have been receptive to arguments seeking dismissal of consumer data breach claims for lack of standing, decisions in recent cases – including, most significantly, the Target data breach case – have found that non-pecuniary harms constitute sufficient injury to confer standing.  The survival of the consumer claims will depend on which line of precedent the Home Depot court follows. Continue Reading Home Depot Moves to Dismiss Consumer Data Breach Claims for Lack of Standing