In late 2014 Home Depot announced that hackers compromised their security and stole 50 million credit cards and another 50 million loyalty cards. 18 months later, there are still three class action lawsuits pending. One is close to settling. In a recent 10-K filing with the SEC, Home Depot said that they had spent over $150 million on the breach, net of what their insurance paid, which is reputed to be another $90-$100 million.
While I do not have any personal knowledge of the breach, industry reports suggest that their cyber hygiene was sub-standard, an issue that could affect the outcome of the three class actions still in play.
Some people say that the breach was not so bad. They measure that by the stock price and that has held up. Part of that may be that Home Depot did a better job of communicating, but it may be that investors know that the business will eventually recover. If you assume that they spent $161 million so far and there are still lawsuits to settle, they could easily spend a quarter of a billion dollars – or more – before this is over. That, I suggest, is bad. It is money that would have otherwise flowed to shareholders or been reinvested in the business. Now it will go to lawyers and plaintiffs.
The first lawsuit to be filed was by consumers and it is the least painful. Since the banks make consumers whole, for the most part, the value of the damage is small. Currently, there is a preliminary settlement for this suit, which, if approved, would cost Home Depot another $20 million plus a requirement to enhance security – whatever that costs.
The second suit is from the banks. They say they spent $150 million reissuing cards. Fraud is on top of that. Home Depot’s lawyers say that the banks don’t have standing to sue. We shall see. Home Depot’s story is that they don’t have a contract with YOUR bank – the one that reissued your card, only their bank. This has been tried before without success, but you can’t blame a guy for trying. Stay tuned. This COULD cost Home Depot a lot of money, depending.
The third lawsuit is from the shareholders, who filed a derivative lawsuit against the company and 12 board members directly. This is the one that could hurt. So far, it has been next to impossible to succeed at suing Boards and Directors, but this is no ordinary breach, so stay tuned. The suit says that the company and the Board breached their fiduciary duty by failing to make sure that the company took reasonable steps to protect consumer’s information. What is unclear is what the damage is. If the stock price didn’t take a hit, were they damaged? Of course, the company will spend $150-$250-$350 million dealing with the breach. Maybe the company would be much better off if the executives could focus for 3 or 4 years on running the company rather than fending off lawsuits. IF this suit prevails, it could open up the floodgates for similar shareholder lawsuits.
We do need to remember that the $161 million expense is pretax, so depending on their tax rate, it will be less. Of course, that means that you and I get to pay again for Home Depot’s mismanagement – the first time in bank fees that the banks use to cover the breach cost and the second time in tax savings because breach costs are tax deductible.
All companies should be watching for the outcome of this case and checking out their cyber breach preparedness. For small companies, suits like this are often fatal.
Information for this post came from JDSupra.