Online Extra: Home Depot to Pay $13 Million to Settle Consumers' Data Breach Case

The Home Depot will pay $13 million to resolve claims by customers whose personal information was exposed to hackers during a massive data security breach in 2014.

The settlement agreement, filed in March in U.S. District Court in Atlanta, would certify a class of Home Depot customers to include all U.S. residents whose personal information was compromised after they used payment cards at self-checkout lanes at U.S. Home Depot stores between April 10, 2014, and Sept. 13, 2014, according to court papers.

Home Depot has said that the breach ‘ which exposed customers’ payment card account numbers, expiration dates and cardholder names’affected as many as 56 million customers. Lawyers from nine law firms that were members of a steering committee shepherding the multidistrict litigation, including former Georgia Gov. Roy Barnes, on Monday asked U.S. District Chief Judge Thomas Thrash Jr. to grant preliminary approval of the settlement and certify the consumer class. Barnes is liaison counsel for the consumers.

The agreement says Home Depot will also pay reasonable legal fees, costs and expenses, up to $8,475,000 in fees and legal costs and expenses that do not exceed $300,000.

King & Spalding represented Home Depot. Company spokesman Stephen Holmes said that settling the case was the most expeditious path to ‘put the litigation behind us,’ adding that the settlement was not an admission of liability.’Home Depot customers, he said, were not held responsible for any fraudulent charges made against their accounts.’ And although he acknowledged that customers’ credit card numbers were exposed, he said that Home Depot has no evidence that customers’ PIN numbers’were compromised. ‘

Barnes and partner John Bevis were not available for comment.

The $13 million settlement fund will compensate class members for out-of-pocket losses, unreimbursed charges and other substantiated losses, up to a maximum of $10,000. Class members may also submit claims with supporting documentation to receive reimbursement for up to five hours, at $15 an hour, for time spent remedying issues relating to the data breach, according to settlement documents. Those who cannot separately document their time may self-certify the amount of time they spent without documentation and claim up to two hours at $15 an hour. Home Depot has also agreed to fund 18 months of identity protection for the class members whose payment cards were compromised.

Home Depot also has agreed to implement specific data security measures in its U.S. stores for at least two years. Those measures include creating a chief information security officer; the routine performance of product and data risk assessments; implementing safeguards as a result of those risk assessments; and setting standards for the selection and retention of service providers or vendors whose data security practices are consistent with industry standards.

Home Depot will also provide written notice to store customers disclosing the storage and use of customer information; provide employee education and training regarding customer privacy and security; and implement enhanced security measures at the point of sale. Home Depot also will encrypt all payment card data at the point of sale; and will not retain card security code data, PIN numbers or the full contents of magnetic stripe data for longer than 48 hours.

The settlement includes only Home Depot customers.

Financial institutions that issued credit or debit cards to customers that were compromised by the data breach also have sued Home Depot for damages incurred by the breach. Those cases are still being litigated.

‘–’R. Robin McDonald, Daily Report