An apparent settlement between Home Depot and MasterCard International Inc. over a massive customer data breach last year has prompted lawyers for financial institutions that are suing the Atlanta-based home improvement chain for damages caused by hackers to cry foul.
Counsel for the plaintiff banks and credit unions claim that, over the Thanksgiving holiday, without their knowledge, agents of Home Depot sent “highly misleading and coercive communications” offering an apparent settlement to their clients and other potential plaintiffs in the multidistrict litigation. The notices were sent as the presiding judge was still considering whether to allow Home Depot to communicate directly with potential class members without prior screening either by plaintiffs’ attorneys or the court.
The notices announced a deal between Home Depot and MasterCard, which is not a plaintiff in the multidistrict litigation.
Some notices required proposed class members to take action by Dec. 2, “without providing even the most basic information regarding the settlement terms,” attorneys said in a motion filed Monday. Some notices said that a failure to act within the time limit would result in an automatic enrollment in the settlement, the plaintiffs’ lawyers added.
“What is clear from the timing and substance (or lack thereof) of the communications is that Home Depot, the other parties to the settlement, and those acting in concert with them do not want to make public the full details of the settlement and to provide financial institutions the necessary information to make an informed decision as to whether to participate in the settlement,” the financial institutions’ counsel contended.
They have asked U.S. District Chief Judge Thomas Thrash Jr. for an immediate hearing so that Home Depot “can explain its actions,” including “the scope and extent of the communications.” They also asked the judge to limit further communications by Home Depot or its agents with any potential class members. The lawyers have also suggested they may seek further relief, including a possible preliminary injunction to bar Home Depot and anyone acting in concert with the chain from implementing the settlement or enforcing any releases that may have been secured as a result of the notices.
Plaintiffs’ counsel also have asked that Home Depot be required to produce a copy of the settlement with MasterCard and any other settlement agreements it may have reached with potential class members, as well as all communications regarding the settlement and a list of all those to whom those communications were sent.
By Thursday, Thrash had not acted on the plaintiffs’ motion.
Phyllis Sumner, a partner at King & Spalding and one of a team of attorneys defending The Home Depot, referred the Daily Report to a company spokesman. Home Depot spokesman Stephen Holmes told the Daily Report that Home Depot was not aware of the letters that were sent last week to potential plaintiffs in the ongoing case and had not asked anyone else to send out the communiques.
Ken Canfield of Doffermyre Shields Canfield & Knowles, co-lead counsel for the financial institutions, declined to comment on the settlement or the pending motion.
Last year, a string of banks, credit unions and customers sued Home Depot, claiming that, collectively, they sustained millions of dollars in damages as a result of the security breach, which exposed the personal payment information of about 56 million customers to computer hackers for at least five months. The complaints contend that a private data security firm retained by Home Depot first notified company executives in July 2014 that Home Depot’s malware detection systems were out of date and its customers’ personal and financial data were vulnerable to cyberattacks by hackers at its checkout terminals. But the company didn’t upgrade its anti-virus software, the suits contend, and never detected the malware in its system.
The Home Depot belatedly went public with the breach last year after chain executives learned that customers’ personal and financial data had been posted for sale on a black market website. The chain released a statement saying that the malware associated with the data breach had been purged. The company also announced at the time that it had enhanced the encryption of payment data at the point-of-sale in Home Depot’s U.S. stores.
Originally published on the Daily Report. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.