Home Depot to Pay $28 Million in Breach Suit
Home Depot agreed to a multimillion dollar settlement with a class of up to 53 million consumers whose payment card or email data was stolen during the retailer’s 2014 data breach, according to new documents filed in a Georgia District Court.
The chain of home improvement stores agreed to pay $13 million to consumers for out-of-pocket losses, unreimbursed charges and time spent dealing with accounts affected by the data breach, as well as at least $6.5 million to provide class members with 18 months of identity protection services. In addition, the retailer will also pay up to $8.775 million in plaintiffs’ attorney fees and expenses.
“In light of the terms of the settlement and the procedural hurdles that class members would have to overcome before any recovery, it is my view that the proposed settlement fairly and efficiently provides meaningful relief,” consumer plaintiffs’ attorney Roy Barnes wrote in a motion supporting the settlement.
Settlement class members who submit valid claim forms and documentation can get up to $10,000 each, according to the settlement. Home Depot will reimburse consumers at a rate of $15 an hour for up to five hours spent dealing with the aftermath of the breach.
Financial institutions filed a separate class action suit against Home Depot. That case is still working its way through the court system.
As part of the 102-page settlement in the consumer case Tuesday, Home Depot agreed to create a chief information security officer position, implement various safeguards related to storing customer data, provide better employee training, and raise security standards for vendors and service providers. The retailer also agreed to increase security measures at the point of sale and use EMV technology. It did not admit to any liability or wrongdoing.
Between April 10, 2014, and Sept. 13, 2014, hackers used a third-party vendor’s credentials to get control of Home Depot’s data systems and install malware that stole names, card numbers, expiration dates and three-digit security codes, according to the documents. The hackers also stole a separate file of email addresses. The hackers then sold the data on the Internet, according to attorneys for the plaintiffs.
According to the documents, attorneys for Home Depot and the plaintiffs had been negotiating the settlement for seven months. A Georgia District Court must still approve the settlement.