Home Depot’s legal battles over the massive 2014 data breach that saw millions of customers’ card accounts compromised may finally be nearing an end, with news that the home repair retailer has reached a deal that will pay $25 million to banks and credit unions who had to help mop up Home Depot’s mess.
Lawyers representing the financial institutions suing Home Depot filed a memorandum [PDF] with the court last night, detailing the proposed settlement.
In addition to paying the plaintiff banks $25 million, Home Depot will spend as much as $2.25 million to other former plaintiffs who had released their claims “after they received misleading communications.”
The company has also pledged to “implement enhanced security measures to reduce the risk of a future data breach.”
For those who’ve forgotten, in Sept. 2014, Home Depot confirmed that not only had the payment systems used on its in-store self-checkout terminals been compromised, but that the cybercriminals had been siphoning off card information for months before the breach was detected.
In all, payment information for some 56 million card accounts was stolen. Not only did the banks and credit unions need to deal with identifying and crediting customers for fraudulent transactions, they also say they had to spend significant resources replacing cards.
In the wake of the breach, affected financial institutions filed dozens of lawsuits against Home Depot. These actions were ultimately consolidated into on multi-district litigation case that also involved separate customer lawsuits over the breach.
Meanwhile, the plaintiff banks say that Home Depot was attempting an end-run around this lawsuit by making deals that were misleading. The MasterCard and Visa networks have programs where breached retailers like Home Depot can provide partial compensation to affected payment card issuers. These programs do not require the issuer to release their legal claim against the retailer.
However, the banks alleged that Home Depot convinced some major card issuers to walk away from the suit by paying them slightly more than the amount they would normally receive through one of those recovery programs, resulting in between 70% to 80% of compromised accounts no longer being eligible for relief through the legal system.
Some smaller banks are actually sponsored on the major credit card networks by bigger banks. When these larger institutions agreed to drop their claims, it often meant that the sponsored issuers could also no longer pursue the lawsuit. The plaintiff banks say that some of these smaller issuers did not know this would be the case. It is these financial institutions that can receive some of the $2.25 million from Home Depot.
Home Depot paid out $14.5 million for these releases. In total, the bank has paid out $140 million to financial institutions and card networks for the breach.
The remaining plaintiff banks can now claim their piece of the $25 million settlement. Each bank can receive around two dollars for each payment card compromised during the breach. They will not have to demonstrate any additional losses on those accounts. The banks who do have evidence of uncompensated financial losses can submit evidence and receive up to 60% of that amount.
In a statement regarding the settlement, Credit Union National Association CEO Jim Nussle says this settlement is a step toward making the plaintiffs whole again.
“Credit unions and their members have unfortunately borne the brunt of lax merchant data security standards,” said Nussle.