Reuters reports that Home Depot recently reached a settlement agreement in a class-action lawsuit brought by consumers over the massive data breach in 2014, though the agreement must be approved by the federal court. The data breach occurred between April and September of 2014 and affected many customers in the United States and Canada. The payment card data of 40 million Home Depot shoppers was stolen, as were the email addresses of 52 million to 53 million customers. The card data was stolen when a vendor's username and password were used to gain access to the retail giant's computer network and used malware to harvest customer information.
Though the company did not admit any liability or wrongdoing, the settlement agreement will see Home Depot paying out $19.5 million. $13 million will be put into a fund to reimburse customers for out-of-pocket losses resulting from the breach and a minimum of $6.5 million will be used for identity protection services for customers. The services will be for a year and a half. In addition to the monetary compensation, under the settlement agreement terms, Home Depot will take steps to improve its security over two years. They must hire a chief information security officer to oversee the improvements being made. Home Depot will also cover the legal fees and costs.
This is not the first time a large retailer has been the victim of a data breach and settled a class action lawsuit to remedy the damages to consumers. Not too long ago, Target had a significant data breach. The retail giant agreed to pay out $10 million to customers affected by a 2013 data breach during the holiday shopping season. The breach affected about 40 million people. The settlement agreement stated that the company would shell out up to $10,000 in damages for each person. Those who had documentation that their information was stolen would be reimbursed first. According to CNN Money, this reimbursement will likely be compensating victims of the breach for "lost time" rather than fraudulent charges since most banks fully reimburse people for unauthorized charges. The victim's time is worth $10 an hour and "at most, they can get reimbursed for two hours for dealing with each instance of 'substantiated loss.'" Documentation is needed for these types of claims as well. Once those with documentation are paid, then those without documentation would receive the remainder of the fund, which would be distributed evenly among them. Like Home Depot, Target must also improve its security and hire a chief information security officer. In addition, the retail giant is required to give its employees security training.
Class action lawsuits like these help consumers to recover damages, as well as hold retailers responsible when customer information is lost in security breaches. With the world going increasingly digital, strong cyber security measures are needed to make sure the customers who entrust their data to corporations like Target and Home Depot do not have to worry about that information falling into the wrong hands.