The September 8th announcement by Home Depot that approximately 56 million customer credit and debit accounts had been exposed to hackers has resulted in a wellspring of lawsuits against the retailer. Now, the U.S. Judicial Panel on Multidistrict Litigation has ordered that eleven of these cases be consolidated in an MDL.
The cases will be overseen by U.S. District Judge Thomas W. Thrash in the Northern District of Georgia.
With other large-scale data breaches, such as the recent cyber-attack against Sony Pictures Entertainment, grabbing headlines and raising concerns over the safety of consumer information, the action against Home Depot will potentially set the tone for future data breach litigation.
James J. Pizzirusso – a partner at Hausfeld in the firm’s Washington, D.C. office – is currently representing a plaintiff in one of the MDL’s early cases.
James, In what ways is this MDL different from (or similar to) the Target data breach MDL?
The cases are similar in a lot of respects. Both involve security breaches at huge, national, and trusted retailers that affected millions of people. Both involved the retailers’ point of sale systems. In addition, both resulted in banks and credit unions losing tens of millions of dollars in card replacement costs, fraudulent charges, lost business, and hundreds of thousands of hours of uncompensated labor involved in handling customer inquiries. One difference is the scope. It is estimated that Target’s breach lasted about three weeks. While Home Depot’s last over four months—from April until September of 2014. This also likely leads to much larger costs associated with the Home Depot breach. At this point, it looks like the Home Depot breach could end up being the largest retail breach in history.
How was Home Depot’s security deficient? How would the breach have been prevented if proper safeguards were in place?
We won’t know the full details until we get into discovery in the litigation. From what we do know, it appears that Home Depot may have been deficient in a few respects. First, it was not up to date on its basic antivirus software. Second, Home Depot had purchased but failed to activate a security tool that would have encrypted card data as it was transferred from the point of sale devices to its servers.
Is the full extent of the data breach known at this time?
No. Home Depot has disclosed that about 56 million payment cards were exposed in its breach. The Credit Union Association of North America (CUNA) has estimated that for its members alone, 7.2 million cards were breached at a cost of $57.4 million in unreimbursed costs. The total damages to financial institutions is therefore in the many hundreds of millions of dollars.
Do you foresee more litigation over data breaches of this nature taking place in the future, or is the retail industry adapting to these data security issues?
Data breach litigation is going to become much more common in the coming years, as more information is stored remotely and hackers become increasingly sophisticated. But hopefully retailers will use new technology to protect themselves and adapt to the changing landscape. It is likely that everybody will be hacked at some point; the issue is what the hackers have access to and what they can do with it. Home Depot (and Target before them) were ill-prepared and allowed hackers to access and remove sensitive financial data that they never should have been able to access. Our hope is the other retailers will take note and prevent future breaches (and thus litigation).
How will the choice of venue in Georgia affect the litigation?
We feel that this is a strong case in any venue, given the underlying facts. We supported transfer to Georgia given that this is where Home Depot is headquartered. The cases have been consolidated in front of Judge Thrash, who is a very capable jurist who has handled many large-scale and complicated litigations such as this one. We are very much looking forward to getting underway and helping our clients begin to recover the losses they suffered as a result of Home Depot’s failures to act.
What is the larger component of this litigation – consumer damages or business damages?
We believe that financial institution damages will far outweigh those of consumers. For one, when there are fraud losses, those are generally covered by the bank. In addition, financial institutions have spent hundreds of millions of dollars replacing breached cards.
Does Home Depot’s offer to provide identity protection services to customers affect their liability, or is it only a public relations move?
It certainly does not impact their liability with respect to financial institutions. I do not represent consumers so I haven’t evaluated those claims.