Incident & Breach Response , Legislation & Litigation , Security Operations

Court Clears Way for Banks' Home Depot Suit to Proceed

Judge Rejects Dismissal, Citing Security Negligence Allegations

A federal judge in Georgia has cleared the way for a class-action lawsuit filed by card issuers against Home Depot over the retailer's massive 2014 payments breach to proceed. In making the ruling, the judge noted the banks' allegations regarding the retailer's security negligence appear to have merit.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

The judge rejected most of Home Depot's motions to have various claims in the lawsuit dismissed, clearing the way for the case to go to trial. The issuers are seeking reimbursement from the retailer for breach-related expenses, such as the cost of reissuing cards and reimbursing cardholders for fraudulent transactions. They also seek declaratory relief for future breaches.

Between April and September 2014, some 56 million credit and debit cards in the U.S. and Canada were compromised as a result of an attack against Home Depot's point-of-sale system. Plaintiffs in the lawsuit, filed in May 2015, claim Home Depot failed to address known vulnerabilities in the system for several years, despite numerous warnings.

John Buzzard, a card fraud expert and the former head of FICO's Card Alert Service, says the plaintiffs' apparent success in convincing the court that Home Depot ignored warnings that its POS system was vulnerable to attack could be the game-changer that sets this case apart.

"The plaintiff's more than portrayed Home Depot as grossly negligent and seemingly uncaring prior to the actual breach," Buzzard says. "The proverbial airing of the dirty laundry, so to speak, gives them considerable leverage, I would think. This won't be a bad precedent at all if it travels through the court system and a competent jury renders its decision. This will be powerful regardless of the outcome. We all want to see more definitive legal action, and this may very well be it."

In another retail breach-related legal development, a federal judge on May 12 granted final approval to Target's $39.4 million settlement with issuers impacted by Target's 2013 breach.

Merits of the Suit

Al Pascual, head of fraud and security for Javelin Strategy & Research, says the Home Depot lawsuit likely will go to trial, rather than be settled out of court, like the Target suit.

"Based on Home Depot's recent reporting, the breach has cost them just over $5 per compromised account, not counting the insurance reimbursement the company received of $100 million," he says. "That is strikingly low and placed a disproportionate burden on affected financial institutions. My question is, if this suit isn't successful, then what kind of incentive is there for other organizations to address known security vulnerabilities? Why not just leave the banks on the hook for the bulk of the costs, because the customers will eventually get over it, right?"

In his ruling rejecting Home Depot's motion to dismiss the case, U.S. District Judge Thomas W. Thrash says dismissing the case would suggest that retailers are not responsible for ensuring their own cybersecurity, which is far from the reality of today's marketplace.

"The court declines the defendant's invitation to hold that it had no legal duty to safeguard information, even though it had warnings that its data security was inadequate and failed to heed them," Thrash writes. "To hold that no such duty existed would allow retailers to use outdated security measures and turn a blind eye to the ever-increasing risk of cyberattacks, leaving consumers with no recourse to recover damages, even though the retailer was in a superior position to safeguard the public from such a risk."

Claims of Negligence

In their lawsuit, the banks describe various points along the way when they allege Home Depot could have shored up security and chose not to. Warnings about vulnerabilities in Home Depot's data security practices date back to 2008, when Home Depot's IT team reported to management that the retailer's computer systems were "easy prey for hackers," the lawsuit states.

The suit also alleges that Home Depot was warned again, in 2009 and 2010, by "computer experts" and internal IT staff about the need to encrypt customer data at the point of sale as well as the need to address a security flaw "that allowed unauthorized persons to access the network and navigate freely without triggering any alarms."

In 2011, numerous employees working on data security issues in Home Depot's IT department left the company, "leaving the IT department understaffed," the suit claims. In July 2013, Home Depot suffered a "small data breach" that involved eight POS terminals that were infected with malware at a store in Dallas, the suit states. In December of that year, another store in Columbia, Md., was allegedly infected with POS malware as well, the suit adds.

"On Oct. 1, 2013, FishNet Security warned the defendant that its computer systems were vulnerable because the firewall was not operating properly," according to the suit. "In December of 2013, hackers installed malware at Target stores nationwide, and the defendant attempted to respond by assembling a task force to address the situation. In January of 2014, an outside security consultant told the defendant that its network was vulnerable to attack and did not comply with industry standards."

The suit alleges that in February 2014, Home Depot's data security task force offered recommendations for POS and network security, but by the time the company began to implement the recommendations, which included POS encryption, its systems had already been breached.

What Makes Case Unique?

Cybersecurity attorney Chris Pierson, who serves as CISO and general counsel at invoicing and payments provider Viewpost, says the details outlined in the lawsuit about claims made by security firms and former employees could be very damaging for Home Depot and very powerful for the issuers seeking reimbursement for breach-related expenses if they're proven to be true at trial.

"The allegations from former employees and other potential whistleblowers is truly unique, and their impact on the case could be measurable and bring about a swifter and more costly resolution to this matter," Pierson says. "This case presents some very important, if true, factual allegations that are usually not seen until later stages of litigation and full discovery."

Pierson says Home Depot is not likely to propose a settlement of the class-action lawsuit and instead will pursue more legal actions to disprove claims made by the card issuers.

"At this point in time, it is unlikely that Home Depot will seek to settle the case, but, rather, it will try to fight for a motion for summary judgment, alleging that even if these facts are true, the legal prongs have not been successfully proven," Pierson says. "If the allegations and facts in the current documents are, in fact, accurate, then Home Depot has a tougher road ahead."

Commenting on the judge's rejection of its motion to dismiss the case, Home Depot said: "We're naturally disappointed, but respect the decision of the court and we'll continue to focus primarily on our customers, which we've done throughout the process."

In March, Home Depot reached a $19.5 million settlement with consumers affected by its breach (see How Will Home Depot Consumer Settlement Affect Banks?).