A federal judge in Georgia has ruled that the class action lawsuit filed by banks against Home Depot over Home Depot’s massive 2014 breach may proceed. The judge ruled that the banks’ allegations of negligence on Home Depot’s part appear to have merit. That is probably not a great start for Team Home Depot.
The banks want to be reimbursed for losses they experienced and for costs of reissuing cards. While big banks can reissue cards for less than $5 each, small banks spend up to $10 each. If we use the lower number times the 50 million cards compromised, that cost alone is $250 million, which is more than Home Depot has spent so far as a result of the breach (About $150 million net of insurance). That does not consider the cost of any fraud, which the banks want to recover as well.
*IF* the banks are successful in the end, this would really change the game regarding credit card breaches.
District Court Judge Thomas Thrash apparently does not believe than Home Depot is totally innocent in this situation. He said:
“The court declines the defendant’s invitation to hold that it had no legal duty to safeguard information, even though it had warnings that its data security was inadequate and failed to heed them,” Thrash writes. “To hold that no such duty existed would allow retailers to use outdated security measures and turn a blind eye to the ever-increasing risk of cyberattacks, leaving consumers with no recourse to recover damages, even though the retailer was in a superior position to safeguard the public from such a risk.”
There are some unusual details in this case – not all other cases would necessarily match this one. According to the suit:
- As far back as 2008, Home Depot’s IT staff told management that the retailer’s computer systems were easy prey for hackers.
- Home Depot was warned again in 2009 and 2010 by computer experts that they needed to encrypt point of sale data and that there were security flaws that would allow hackers to infiltrate the network without setting off alarms.
- In 2011 numerous employees working on data security issues left, leaving the IT department understaffed.
- In 2013, in two separate breaches, point of sales terminals in Texas and Maryland were infected.
- On October 1, 2013, FishNet Security warned Home Depot that their systems were vulnerable because the firewall was not operating properly (THE firewall? Really? ONE firewall?).
- In December 2013, when the Target breach occurred, Home Depot finally decided to form a committee.
- In January 2014 an outside consultant told Home Depot that their network was vulnerable to attack and did not comply with industry standards. I assume this was their annual PCI audit, since Home Depot did admit that they were not PCI compliant at the time of the attack after initially saying that they were.
- In February 2014, the committee offered recommendations to improve security, but by the time Home Depot started to implement these changes, the attackers were already inside the network. That likely occurred in March or April 2014.
Obviously, there is a long way to go before this is ultimately decided – likely years – but there is enough money at stake, maybe $250 to $500 million, that Home Depot is going to fight this. However, the allegations that have come out already are not pretty and *IF* this goes to trial, we should assume we will see more of this.
Also remember that the insurance has paid out all that they are going to pay, so when there is a settlement or judgement, the money will come out of shareholders’ pockets. This is true even if the insurance is paying for the legal defense, which they could be doing, depending on the terms of their insurance policy. Sometimes, legal expenses fit into a separate bucket and sometimes that is not capped.
Finally, it is important to remember that their is a shareholder derivative class action lawsuit also pending and the facts that are established in this case could affect the outcome of that case.
What is clear is that Home Depot is going to be very familiar with the inside of courtrooms, depositions and motions for years to come.
Without regard to the eventual outcome of these class action lawsuits, two years have passed since the breach was discovered and the lawsuits haven’t even hit the trial court yet, never mind appeals. This will be a big distraction for the Home Depot management team and Board for quite a while.
Information for this post came from Bank Info Security.