Early Settlement of Home Depot Consumer Data Breach Claims – Start of Trend?

Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot.  The cash and noncash terms of the proposed settlement are unexceptional.  What is unusual about this settlement is its timing. According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided.  The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side.  Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements.

Prior to settlement, Home Depot had followed the standard playbook for defense of a consumer data breach claim, seeking dismissal of the action on standing grounds due to plaintiffs’ inability to establish injury resulting from the theft of credit and debit card numbers.  While defendants have had notable success in defeating consumer data breach claims on standing grounds – primarily because card issuers hold consumers harmless for fraud losses on their cards – recent decisions, exemplified by the denial of the motion to dismiss consumer claims in the Target data breach litigation, have concluded that consumers do suffer injury in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”  The growing frequency of courts finding standing to bring consumer payment card data breach claims posed for Home Depot the not-inconsiderable risk that the consumer claims would survive its motion to dismiss, requiring Home Depot to proceed to expensive document and deposition discovery.

At the same time, the cost of settling consumer claims has proven to be relatively small, even for classes numbering in the tens of millions of consumers.  The “injuries” that courts have relied upon to find standing still do not add up to large dollar value claims on a per-class member basis.  In the Target case, the claims of the 40 million-member consumer class settled for $10 million.  The small size of the Target settlement relative to the size of the class was not an anomaly.  As previously reported, plaintiffs in Target submitted a chart to the court detailing prior consumer data breach settlements.  The chart showed that the cash cost of a large data breach settlement is typically $1.00 or less per class member.  The Target settlement itself came in at approximately $0.25 per class member.  The pattern revealed in Target’s submission and in the Target settlement itself surely sent a strong signal to both sides as to the likely settlement range for the consumer claims in the Home Depot case.

Meanwhile, even as the motion to dismiss was being considered by the court, the parties were engaged in the process of planning for discovery.  At the time of the settlement the parties had already come to agreement on a scheduling order, merits and expert discovery protocols, a confidentiality agreement and protective order, and a stipulation concerning authentication of documents.  The case settled during the negotiation of a protocol for discovery of electronically stored information.  On top of all of this, plaintiffs had propounded 126 document requests on Home Depot.  Based on those activities, the parties would have understood that the impending costs of document production by Home Depot and document review by plaintiffs would be staggering, as would the subsequent cost to both parties of extensive deposition practice and expert discovery.  Given the benchmark established by Target and other similar cases, the anticipated discovery costs in Home Depot could easily equal or exceed the likely cost to settle the consumer claims.

Unsurprisingly, the proposed Home Depot settlement falls comfortably within the range indicated by the survey of data breach settlements that was submitted to the court in Target.  The Home Depot settlement provides for payment of $13 million to the class, and guarantees that Home Depot will spend $6.5 million to pay for credit protection for the class.  Note, however, that cash payments to class members from the $13 million settlement fund will be distributed on a claims-made basis.  If class members fail to claim the entire $13 million, the undistributed balance may be used to defray the cost of notice to the class and then, if funds still remain, the cost of purchasing credit protection.  If the claim rate is low enough, it is possible that Home Depot’s entire payment obligation under the settlement for the benefit of the class will not exceed $13 million settlement floor.  Either way, the settlement range of $13 million to $19.5 million will yield per-class member benefits for the 40 million class members whose payment card numbers were stolen of between $0.33  and $0.49 per person.  Note that here, as in Target, attorneys’ fees are requested in addition to the class distribution, with the request here equaling $8.475 million.  Home Depot has the right to challenge the fee award, but has waived any right of appeal from the trial court’s fee determination.

It is also worth noting how the cost of the consumer settlement compares to the overall cost of settlement.  As was the case for Target, the cost of settling the consumer claims is a small portion of the overall costs to Home Depot arising from the data breach.  According to a report by Reuters, Home Depot said it had booked $161 million of pre-tax expenses for the breach, including for the consumer settlement, and after accounting for expected insurance proceeds (reported by Home Depot in its last Form 10Q quarterly report to total about $100 million).  Thus, the largest amount that Home Depot could pay in settlement of the consumer claims (including attorneys’ fees) would equal just under 11% of the $261 million in breach-related expenses incurred by Home Depot.  The ability to settle for around 10% of the total data breach exposure – and the opportunity to avoid incurring additional litigation expenses that would drive up both totals – would provide another justification for striking an early deal to resolve the consumer claims.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Home Depot Moves to Dismiss Consumer Data Breach Claims for Lack of Standing

Home Depot has staked its defense of consumer claims arising from the 2014 theft of payment card data from the home improvement retailer on the asserted absence of injuries sufficient to confer standing to sue.  Because consumers rarely sustain out-of-pocket losses when their payment card numbers are stolen, lack of standing is typically the primary ground for seeking dismissal of consumer data breach claims. While many courts have been receptive to arguments seeking dismissal of consumer data breach claims for lack of standing, decisions in recent cases – including, most significantly, the Target data breach case – have found that non-pecuniary harms constitute sufficient injury to confer standing.  The survival of the consumer claims will depend on which line of precedent the Home Depot court follows.

Arguments as to standing are grounded in Article III, Section 2 of the United States Constitution, which limits the jurisdiction of federal courts to “cases” or “controversies.”   To constitute a case or controversy, a claim cannot arise from a speculative or potential harm, but rather must concern an actual or imminent injury.  Thus, in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), the Supreme Court ruled that mere interception of private data – in that case, by the National Security Agency, through its wiretaps of telephone and email communications – did not confer standing to sue.  Clapper held that speculation that intercepted data might be misused did not confer Article III standing; actual use or misuse of the intercepted information was required.  Defendants in privacy cases, citing Clapper, have succeeded in dismissing data breach claims for lack of standing where data breach plaintiffs have not alleged actual misuse of their data.  See, e.g., Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013); In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL 4759588 (N.D. Ill. Sep. 3, 2013); Yunker v. Pandora Media, Inc., No. 11-3113, 2013 WL 1282980 (N.D. Cal. Mar. 26, 2013).

Home Depot’s brief in support of its motion to dismiss relies heavily on Clapper to support its argument that none of the named plaintiffs have suffered actionable injuries.  Home Depot contends that consumers could not have been injured when card issuers hold consumers harmless for fraudulent charges and Home Depot offered free credit monitoring to affected customers.  The Home Depot brief dismisses plaintiffs’ attempts to plead non-monetary harms, alleging that none of the alleged harms constitute injuries that are cognizable under Article III.  For example, some plaintiffs alleged that they suffered inconvenience and embarrassment as a result of temporarily frozen bank accounts.  According to Home Depot, in the absence of any out-of-pocket losses such alleged harms are not actionable injuries.  Some plaintiffs incurred out-of-pocket credit monitoring costs, but Home Depot takes the position that doing so was gratuitous in light of the free services offered by Home Depot.  Some plaintiffs also alleged out-of-pocket costs associated with fraudulent charges on their payment cards, but Home Depot contends that such injuries are not fairly traceable to Home Depot because such charges should have been covered by the card issuers.

There are also plaintiffs who alleged that they suffered identity theft.  Home Depot argues that such allegations should be rejected as implausible because, based on plaintiffs’ own allegations, the data theft did not result in the theft of social security numbers or date of birth information, both of which would be required to successfully steal an identity was not compromised in the HD data breach.

Although Home Depot makes strong arguments why plaintiffs lack standing, it is constrained to admit in its brief that the court hearing the Target data breach cases rejected an identical standing argument that and been advanced by Target.  In the opinion denying Target’s motion to dismiss, the court gave Target’s standing arguments cursory treatment, finding that “Plaintiffs have alleged injury” in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”  Although Target, like Home Depot, contended that such alleged injuries are insufficient to confer standing because “Plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts . . . ,” the court rejected this argument, stating that Target had “set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage.”

Home Depot characterizes the Target decision as an outlier that offers no support for its rejection of Target’s standing arguments.  Further, the Target decision did not rule out the possibility injuries alleged would not be fairly traceable to Target’s conduct, stating that, “[s]hould discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.”  Although the settlement of Target’s consumer claims means that the proposition will not be tested in that case, the Target court’s recognition that injury matters for standing purposes provides some support for Home Depot’s position that the Target decision should be disregarded if it is apparent at the pleading stage that no injury has occurred.