Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak

An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed.  On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores.  The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target. Continue Reading A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat

Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot.  The cash and noncash terms of the proposed settlement are unexceptional.  What is unusual about this settlement is its timing.  According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided.  The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side.  Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements. Continue Reading Early Settlement of the Home Depot Consumer Data Breach Claims – The Start of a Trend?

In its recently-filed motion to dismiss claims of card-issuing banks arising from the September 2014 theft of payment card data from Home Depot point of sale terminals, Home Depot employs an approach typically used to respond to consumer claims.  In payment card data breach cases, defendants typically argue that consumers lack standing to sue because card issuers hold consumers harmless for any fraudulent charges on their credit or debit cards.  Such standing arguments are not ordinarily advanced against the claims of the card-issuing banks that end up paying those bogus charges.  Home Depot, however, argues that the card issuer plaintiffs do not allege sufficient injury to have standing to bring suit in federal court.  In particular, Home Depot maintains that the card issuers’ consolidated complaint, despite listing 68 separate named plaintiffs, does not contain any specific allegations that identify with particularity what losses, if any, those plaintiffs suffered. Only two of the complainants 285 paragraphs allege the harms suffered by card issuers, but both do so without identifying which particular harms alleged had been sustained by any named plaintiffs.  Home Depot argues that the failure to plead the existence of concrete injuries suffered by named plaintiffs is fatal to the card issuers’ complaint.

In addition, Home Depot asserts that alleged losses incurred to avoid potential future harms – such as the cost of issuing new cards – are not cognizable injuries under the Supreme Court’s ruling in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013).  Clapper held that, to be sufficient to confer Article III standing, losses must be “fairly traceable” to a defendant’s purported wrongdoing.  Losses willingly incurred to protect against a possibility of future harm do not suffice.  See id. at 1152-53.  Quoting Clapper, 133 S. Ct. 151, Home Depot contends that the card issuers “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”   Thus, without conceding that other types of losses might confer standing, Home Depot argues that losses directed toward future harms, even if alleged with particularity, would be insufficient as a matter of law to confer Article III standing on the card issuer banks.

A second significant ground on which Home Depot seeks dismissal of the card issuers’ claims is lack of ripeness. This argument is premised on the complex and detailed rules governing the interrelationship between card issuing banks, banks that accept charges made on cards and the card brands that issue the cards.  Each of the card brands establishes a process for resolving claims relating to fraudulent charges made on their cards.  In its brief, Home Depot collectively refers to the ongoing adjudication of data breach claims under those roles as the “Card Brand Recovery Process.”  According to Home Depot, the Card Brand Recovery Process is ongoing and could substantially resolve card issuers’ claims.  At a minimum, Home Depot contends that card issuers would not be entitled to seek recovery in the consolidated federal court lawsuit that is duplicative of amounts awarded through the Card Brand Recovery Process.  Accordingly, Home Depot argues that the card issuers’ claims will not be ripe until the Card Brand Recovery Process has been completed and the extent of their injuries, if any, are then known.

The card brand claim adjudication process has already played a significant role in connection with card issuers’ claims in the consolidated data breach class action against Target.  In that case, Target attempted to obtain a global resolution of the claims of MasterCard-issuing banks through a settlement negotiated with MasterCard under its dispute resolution rubric.  The proposed settlement was conditioned on approval by issuers of at least 90% of the eligible accounts and failed due to lack of support by issuing banks.  Target’s lack of success in using the card brand dispute resolution process to dispose of card issuer claims casts some doubt on whether Home Depot’s ripeness argument, even if accepted, would facilitate a final resolution of claims outside of federal court.  Allowing the Card Brand Recovery Process to continue, however, could reduce the number of outstanding claims and yield more manageable proceedings in federal court.

Home Depot has staked its defense of consumer claims arising from the 2014 theft of payment card data from the home improvement retailer on the asserted absence of injuries sufficient to confer standing to sue.  Because consumers rarely sustain out-of-pocket losses when their payment card numbers are stolen, lack of standing is typically the primary ground for seeking dismissal of consumer data breach claims.  While many courts have been receptive to arguments seeking dismissal of consumer data breach claims for lack of standing, decisions in recent cases – including, most significantly, the Target data breach case – have found that non-pecuniary harms constitute sufficient injury to confer standing.  The survival of the consumer claims will depend on which line of precedent the Home Depot court follows. Continue Reading Home Depot Moves to Dismiss Consumer Data Breach Claims for Lack of Standing

Written by Kevin McGinty

Substantive litigation in the flood of lawsuits concerning the recent Home Depot data breach awaits a determination of where the cases will be heard.  Numerous overlapping lawsuits have been filed in courts throughout the United States asserting claims on behalf of consumers and financial institutions arising from the massive theft of credit card data that was confirmed by Home Depot in September.

Continue Reading Home Depot Data Breach Litigation: Venue and Consolidation

Happy autumnal equinox — http://www.skyandtelescope.com/astronomy-news/observing-news/autumnal-equinox-2014-arrives-09222014/

Home Depot Breach – By the Numbers

56 million cards at risk (compare to Target = 40 million)

$62 million in estimated costs (compare to Target  =$146 million and counting)

$27 million insurance coverage (compare to Target = $100 million in cover)

Lawsuits filed – at least 1 in US and 1 in Canada

Filed 8-K with Securities and Exchange Commission on September 8 (Took Target 2 months to file)

Continue Reading Privacy Monday – September 22, 2014

Back to school, back to traffic jams … back to Privacy Mondays! Our look at bits and bytes and goofs and gaffes in data privacy and security

Home Depot Breach Update

It has been nearly a week, and The Home Depot has still not confirmed that it is the latest victim of point-of-sale hackers in what is potentially a massive data breach.    The company has confirmed that it has been in contact with the U.S. Secret Service about investigation into a potential breach and Chief Executive Officer Frank Blake told investors at the annual Goldman Sachs Retailing Conference last Thursday that Home Depot and investigators were working around the clock to find a breach.   He has yet to confirm that a breach has occurred.

The delay has engendered the filing of at least one purported class action law suit in the U.S. District Court for the Northern District of Georgia, Atlanta Division.   The suit — filed last Thursday — alleges that Home Depot failed to meet its legal obligation to protect the putative plaintiffs credit card and personal information and failed to timely warn them that their information had been stolen or compromised.   The complaint alleges that in “late April or early May 2014, computer hackers gained access to Home Depot’s POS data network and stole the personal financial information of hundreds of thousands, if not millions, of Home Depot’s customers.”   None of these facts have been confirmed by the retailer and have only appeared in the security blog, Krebs on Security, as reported by “unnamed banking sources.”

Continue Reading Privacy Monday – September 8, 2014

It appears that the data breach victim of the week (perhaps of the year) is The Home Depot.  Brian Krebs has reported that it appears that two large dumps of purloined credit card numbers have made an appearance on the black market and that those numbers may have originated at Home Depot locations.   Krebs’ reporting is here.

This latest incident raises yet another round of concerns about the malware known as “Backoff” and the potential widespread effect on retailers.  We posted a Backoff update last week.  According to the New York Times, when one adds the compromised records in Target, PF Chang’s, Neiman Marcus, Sally Beauty, Michaels, UPS and others, the number of affected customers amounts to more than one-third of the U.S. population.

Roundup of some latest reporting on the Home Depot breach:

Home Depot Breach Could Be as Big as Target’s – Computerworld

What it Means for Home Depot if Breach is as Big as Target’s – Forbes

Home Depot Tries to Reassure Customers – Wall Street Journal

The Home Depot story is rapidly evolving and we will update as further information is available.