Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot. The cash and noncash terms of the proposed settlement are unexceptional. What is unusual about this settlement is its timing. According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided. The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side. Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements.
Prior to settlement, Home Depot had followed the standard playbook for defense of a consumer data breach claim, seeking dismissal of the action on standing grounds due to plaintiffs’ inability to establish injury resulting from the theft of credit and debit card numbers. While defendants have had notable success in defeating consumer data breach claims on standing grounds – primarily because card issuers hold consumers harmless for fraud losses on their cards – recent decisions, exemplified by the denial of the motion to dismiss consumer claims in the Target data breach litigation, have concluded that consumers do suffer injury in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.” The growing frequency of courts finding standing to bring consumer payment card data breach claims posed for Home Depot the not-inconsiderable risk that the consumer claims would survive its motion to dismiss, requiring Home Depot to proceed to expensive document and deposition discovery.
At the same time, the cost of settling consumer claims has proven to be relatively small, even for classes numbering in the tens of millions of consumers. The “injuries” that courts have relied upon to find standing still do not add up to large dollar value claims on a per-class member basis. In the Target case, the claims of the 40 million-member consumer class settled for $10 million. The small size of the Target settlement relative to the size of the class was not an anomaly. As previously reported, plaintiffs in Target submitted a chart to the court detailing prior consumer data breach settlements. The chart showed that the cash cost of a large data breach settlement is typically $1.00 or less per class member. The Target settlement itself came in at approximately $0.25 per class member. The pattern revealed in Target’s submission and in the Target settlement itself surely sent a strong signal to both sides as to the likely settlement range for the consumer claims in the Home Depot case.
Meanwhile, even as the motion to dismiss was being considered by the court, the parties were engaged in the process of planning for discovery. At the time of the settlement the parties had already come to agreement on a scheduling order, merits and expert discovery protocols, a confidentiality agreement and protective order, and a stipulation concerning authentication of documents. The case settled during the negotiation of a protocol for discovery of electronically stored information. On top of all of this, plaintiffs had propounded 126 document requests on Home Depot. Based on those activities, the parties would have understood that the impending costs of document production by Home Depot and document review by plaintiffs would be staggering, as would the subsequent cost to both parties of extensive deposition practice and expert discovery. Given the benchmark established by Target and other similar cases, the anticipated discovery costs in Home Depot could easily equal or exceed the likely cost to settle the consumer claims.
Unsurprisingly, the proposed Home Depot settlement falls comfortably within the range indicated by the survey of data breach settlements that was submitted to the court in Target. The Home Depot settlement provides for payment of $13 million to the class, and guarantees that Home Depot will spend $6.5 million to pay for credit protection for the class. Note, however, that cash payments to class members from the $13 million settlement fund will be distributed on a claims-made basis. If class members fail to claim the entire $13 million, the undistributed balance may be used to defray the cost of notice to the class and then, if funds still remain, the cost of purchasing credit protection. If the claim rate is low enough, it is possible that Home Depot’s entire payment obligation under the settlement for the benefit of the class will not exceed $13 million settlement floor. Either way, the settlement range of $13 million to $19.5 million will yield per-class member benefits for the 40 million class members whose payment card numbers were stolen of between $0.33 and $0.49 per person. Note that here, as in Target, attorneys’ fees are requested in addition to the class distribution, with the request here equaling $8.475 million. Home Depot has the right to challenge the fee award, but has waived any right of appeal from the trial court’s fee determination.
It is also worth noting how the cost of the consumer settlement compares to the overall cost of settlement. As was the case for Target, the cost of settling the consumer claims is a small portion of the overall costs to Home Depot arising from the data breach. According to a report by Reuters, Home Depot said it had booked $161 million of pre-tax expenses for the breach, including for the consumer settlement, and after accounting for expected insurance proceeds (reported by Home Depot in its last Form 10Q quarterly report to total about $100 million). Thus, the largest amount that Home Depot could pay in settlement of the consumer claims (including attorneys’ fees) would equal just under 11% of the $261 million in breach-related expenses incurred by Home Depot. The ability to settle for around 10% of the total data breach exposure – and the opportunity to avoid incurring additional litigation expenses that would drive up both totals – would provide another justification for striking an early deal to resolve the consumer claims.