Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Home Depot Asked to Disclose Breach Settlement Details

Georgia Court Grants Attorneys Opportunity to Review Parts of Home Depot, MasterCard Deal
Home Depot Asked to Disclose Breach Settlement Details

A Georgia district judge has asked Home Depot to disclose communications that were sent to issuers about a deal with MasterCard to settle fraud losses and other expenses suffered by banks and credit unions in the wake of the retailer's 2014 data breach.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Now, according to an order that was filed Dec. 14 with the U.S. District Court for the Northern District of Georgia, attorneys representing banks and credit unions in a class-action suit against Home Depot have until the end of January to review those communications and determine whether further relief is necessary. The ruling comes a month and a half after Home Depot filed a motion for clarification regarding how limiting communications with financial institutions, which could potentially be involved in a class-action suit against Home Depot, could be unlawful.

In part, plaintiffs' attorneys will be reviewing communications to see which, if any, were sent with Home Depot's knowledge, and determine if some banks and credit unions felt obliged to accept terms of the settlement without fully understanding or knowing all of the financial terms.

"Under MasterCard's rules, this [settlement] process provides partial compensation for certain losses financial institutions have incurred as a result of data breaches and does not require a release of financial institutions' claims," plaintiffs' counsel notes in a motion for injunctive relief filed Dec. 8. "Home Depot and MasterCard instead have sought to turn the card recovery process into a pseudo-class settlement that releases all the claims in this litigation. In the meantime, class members have received misleading and coercive messages about what is happening and are being told they must act immediately or lose their rights. In fact, the deadline for some absent class members to act already has passed."

In a Dec. 15 statement, the attorneys for the financial institutions suing Home Depot note: "We are pleased the court agreed that the communications received by financial institutions about the Home Depot/MasterCard settlement were 'misleading and coercive' and warrant further scrutiny. The order granting immediate discovery will allow the court to learn all the facts about Home Depot's agreement with MasterCard and determine whether to grant plaintiffs' request to vacate any releases and require a curative notice be sent to class members. In the meantime, we recommend that financial institutions not accept any tentative settlement offer until sufficient information is provided that enables them to make an informed decision."

Attorney Chris Pierson, chief security officer at invoicing and payments provider Viewpost, says the order entered by the judge this week places both parties on an equal footing, "ensuring that accurate and transparent communications regarding potential settlement shall be shared with both parties ahead of time, contain certain disclosures and be up front on the settlement."

Pierson says the ruling ensures "basic fairness," and puts both sets of counsel on notice that they must be responsible for their notice to class members.

Communications About Proposed Settlement

Three payments and core-banking processors - FIS, Fiserv and Vantiv - sent letters to issuers last month about MasterCard's proposed settlement with Home Depot, according to the Atlanta Business Chronicle. Each letter specified response deadlines from Dec. 2 through Dec. 7.

The letters also note that any issuer that accepts the terms of the "alternative recovery offer," part of MasterCard's account data compromise program, forfeits its rights to pursue further compensation through a class action suit.

But Home Depot says it was not involved with or aware of any communications that were sent to banks and credit unions.

"There is a tentative settlement in place with MasterCard, but I can't discuss the details of the settlement," Home Depot spokesman Stephen Holmes told Information Security Media Group on Dec. 4. "What I can tell you is that we did not send any communications, nor were we aware of any communications being sent."

During the discovery process granted by the court this week, plaintiffs' attorneys will gauge whether they believe Home Depot did, in fact, have no knowledge of the communications. A hearing will likely be held in February, Home Depot says, at which time the judge will determine whether any further relief is necessary.

Claims Against Home Depot, So Far

Attorneys representing banks and credit unions in their class-action suit claim Home Depot used deceptive practices to convince issuers to accept a settlement for which no financial details were provided (see Will Banks Reject Home Depot Breach Settlement?).

What's more, plaintiffs' counsel claims Home Depot and MasterCard contacted banks and credit unions about accepting the settlement before notifying the banks' attorneys that a settlement had even been reached.

"Until Home Depot discloses all the facts relating to its agreement with MasterCard, financial institutions should reject any settlement that does not offer significant reimbursement for their losses beyond what they are already entitled to receive under MasterCard's rules without releasing their legal claims," the attorneys note in a Dec. 4 statement about the settlement proposal.

Those attorneys argue that recovery paid out through the account data compromise program should be paid regardless of whether a class-action suit seeking additional compensation is filed.

"The settlement uses MasterCard's Account Data Compromise (ADC) program to offer financial institutions partial recovery amounts for their losses sustained during the data breach," plaintiffs' attorneys note in their Dec. 4 statement. "However, these settlements do not disclose to financial institutions that they are not required to sign a release in order to participate in MasterCard's ADC program, and should be able to retain their right to pursue legal claims against Home Depot."

On Nov. 30, those attorneys filed a motion to have the court force Home Depot to immediately disclose details about the settlement.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.