Home Depot's $19.5 million settlement with consumers affected by the retailer's 2014 payments breach is unlikely to have much impact on a pending class-action suit filed by banking institutions against the big box retailer in May 2015 to recoup breach-related expenses (see Why Banks Sued Home Depot).
See Also: Rethinking Endpoint Security
"The question of liability on behalf of Home Depot as it relates to the banks is something that is separate and distinct from the consumer suits," says cybersecurity attorney Chris Pierson, CISO for invoicing payments provider Viewpost. "However, this settlement sheds light on the business rationale underpinning the company and its priorities. It is not unsurprising given the status of enforcement actions, need to return to business as usual processes, and current threat matrix that a business would seek a quickly resolution to these lawsuits."
The consolidated consumer class-action lawsuit was filed against Home Depot in early May 2015, just before banks and credit unions filed their suit tied to the breach of payment card data. The breach was caused by the compromise of a third-party vendor's credentials that were used to launch a point-of-sale malware attack against Home Depot's payments system (see Home Depot, Target: Same Breach Script?).
Terms of Settlement
In its proposed settlement with consumers, which is still subject to approval by a federal court, Home Depot agreed to establish a cash fund totaling $13 million to compensate affected consumers for "documented out-of-pocket losses, unreimbursed charges and time spent remedying issues relating to the Home Depot data breach."
Consumers who submit claims also may "self-certify" time they spent remedying issues related to the breach at $15 per hour for up to two hours, according to settlement court filings.
Home Depot also agreed to pay an additional $6.5 million to fund 18 months of identity protection services for consumers who had their payment card data compromised as part of the breach.
The company also says in the settlement that it plans to "adopt and implement" new data security measures to protect the personal and financial information of its customers, as well as create a CISO position.
An estimated 40 million consumers had their payment cards compromised in the Home Depot breach, and some 53 million had their email addresses compromised, according to the settlement documents.
"We're working to put the litigation behind us and this was the most expeditious path, but it's not an admission of liability," Home Depot spokesman Stephen Holmes tells Information Security Media Group. "Keep in mind that customers were not responsible for fraudulent charges and they've been our primary focus throughout."
John Buzzard, director of product management for security firm Rippleshot Fraud Analytics, says the fact that more consumer class-action suits, such as the one against Home Depot, are being settled proves retailers are going to be expected to do more in the wake of a payments breach.
"This case and the fact that it had legs and made it all the way to settlement is emblematic to the seriousness that lawmakers and consumers view these compromises today," he says. "It's no longer acceptable to simply issue an apology and have that suffice as restitution to the consumer and card issuers."
What's more, Buzzard says more organizations are pumping funding into their IT security budgets to be more proactive about breach prevention. "This means that commercial concerns are taking data security far more seriously than ever before," he says. "We are at that tipping point where reasonable care to protect data may be viewed by the legal system as woefully inadequate."
Similar Settlements
Last year, Target reached a $10 million settlement of a lawsuit tied to its 2013 breach, compensating affected consumers who could prove they had suffered damages that were not reimbursed by financial institutions (see Judge OK's Target Breach Settlement).
But many consumer class-action suits involving the breach of payment card data have failed in the courts because it's been difficult for consumers to prove harm (see Why So Many Data Breach Lawsuits Fail). Consumers rarely suffer financial losses associated with a payment card breach. Banking institutions almost always reimburse consumers for losses they suffer because of fraud, and federal laws such as Regulation E, the Electronic Fund Transfer Act, provide additional debit and credit protections that banking institutions are required to cover.
Thus, the settlements of consumers' suits against Target, and now Home Depot, are largely public relations moves, some security experts say.
"The terms of the settlement agreement include provisions for improvements in data security and the hiring of a CISO to oversee the process, which implies that they were not taking the right steps even after the breach to secure data nor did they have the right organizational structure in place to manage for the future risk of a breach," says Al Pascual, head of fraud and security for Javelin Strategy & Research. "That, in turn, is inconsistent with the message that Home Depot attempted to convey via their press release after the breach.
"This kind of behavior is endemic of an organization that only appears to address cybersecurity vulnerabilities when forced to, either through public scrutiny or legal action. ... It will be critical that Home Depot's CISO is given the latitude and funding to make the decisions that are truly in the best interest of the organization and its customers, reporting directly to the board and with a budget commensurate to the task."