Home Depot has reached a proposed multimillion-dollar settlement with financial institutions affected by its 2014 data breach, according to documents filed in a U.S. District Court.
The retailer agreed to pay up to $25 million to affected financial institutions, as well as up to $2.25 million to entities whose claims were released by a sponsor such as a card processor. Class members that file valid claims will get a “fixed payment award” of about $2 per compromised card without having to prove their losses, even if they’ve received compensation from another source.
Financial institutions that can prove their losses may get an additional “documented damages award” of up to 60% of their uncompensated costs, according to the settlement documents. The settlement fund excludes attorneys’ fees.
“Credit unions and their members have unfortunately borne the brunt of lax merchant data security standards. This settlement would be a step toward making them whole again. We believe this settlement represents one of the better outcomes in data breach litigation,” CUNA President/CEO Jim Nussle said. “We’re hopeful credit unions will see more victories in data breach suits going forward. In the meantime, CUNA will continue pursuing a legislative solution that will result in stricter merchant data security standards, making it much harder for merchants to compromise payment card information.”
In September 2014, Home Depot announced that hackers stole payment card data from customers who made purchases at self-checkout terminals between April 10, 2014, and Sept. 13, 2014. The hackers also stole a separate file of customer email addresses.
The new multimillion-dollar proposed settlement is the latest in a series of payouts associated with Home Depot’s data breach.
The home improvement retailer has spent approximately $14.5 million on premiums to MasterCard and Visa issuers in exchange for releases, as well as $79 million under Visa’s GCAR program and $41 million under MasterCard’s ADC program to partially compensate financial institutions for their losses, according to a court filing from an attorney representing the financial institutions.
Coupled with amounts paid in settlements with American Express and Discover, the plaintiffs estimated Home Depot has already paid more than $140 million to financial institutions.
In addition, in March 2016, Home Depot agreed to pay $13 million to consumers affected by the data breach, as well as at least $6.5 million to provide them with 18 months of identity protection services. That’s excluding attorneys’ fees.
As part of its latest settlement agreement, which is 74 pages long, Home Depot agreed to track and manage its data security risk assessments using a risk-exception process; conduct annual reviews of service providers and vendors that have access to payment card information to ensure their compliance with security practices, and create a security-control framework. It did not admit to any liability or wrongdoing.
The settlement still requires final approval.
