Data breach lawsuits follow familiar pattern after hack

If retail giant Target is any guide, Atlanta-based Home Depot can expect dozens of lawsuits, many of them class-action filings, in the coming months in connection with the data breach it revealed in September.

Suing companies after such breaches on behalf of consumers, shareholders and banks has almost become a cottage industry over the past decade as corporations increasingly become targets of hackers.

Traditionally, companies could be expected to settle quickly and quietly out of court, offering consumers credit protection and monitoring, and a legal firm could nab a nice payday. After all, for most big companies settlement costs were much lower than the millions it would take to upgrade their data security.

But experts say increasing media coverage of breaches and the damage they can inflict on a brand may be changing the calculus.

Target’s 46 percent drop in profits after the company’s breach around last year’s holiday season made it the poster child for the negative impact of hacks. Target’s breach cost the retailer customers and the chief executive officer his job.

The exponential increase in attacks has made every business consider not if it will happen, but when, and just how bad it will be.

“Nobody wants to be the next Target,” said Herb Mattord, who teaches courses in information security and information systems at Kennesaw State University. Companies are now heeding advice to take breaches seriously and not trivialize them as a cost of doing business, he said.

The Home Depot breach, which was revealed in early September and had been going on since last spring, netted cyberthieves 56 million credit card numbers, a larger number than the 40 million credit- and debit-card data loss at Target. Home Depot’s hack was topped this month when banking giant JP Morgan Chase said it lost the personal information of 76 million customers over the summer.

More than a dozen lawsuits have been filed against Home Depot since the breach, including the first class-action filing on Sept. 5 while the home-improvement Goliath was still investigating the hack. Most make the same claims: that Home Depot failed to protect consumer information and did not notify customers in a timely manner. Banks and credit unions also are seeking reimbursement for reissuing credit cards and paying for illegal charges.

More than 100 class-action suits have been filed against Target since its breach — including suits by credit card companies seeking to recoup the cost of reissuing cards.

There is risk for law firms that file the lawsuits, especially those representing consumers, said Charles Hoff, a founder of PCI University, an Atlanta company that helps companies understand credit-card compliance and security. There is no single client in a class-action lawsuit paying the bills, so the firms take on all expenses. If a judgment doesn’t go their way, they could be out tens of thousands of dollars, depending on the case.

And the more suits that are filed, the less likely it becomes that every firm will recoup its investment. At the very least, they’ll see the payoff diluted.

Despite the risks, experts expect the lawsuits to continue to grow, mostly because 47 of the 50 states — Georgia among them — have notification laws that mandate companies disclose breaches. That transparency, coupled with the increasing number of hacks, has forged the explosion of lawsuits.

What is yet to be determined is how successful the lawsuits will be in the current environment. The U.S. Supreme Court in recent rulings has tightened the standards for recovery, mandating that plaintiffs must prove actual damages, not just the potential to be harmed, Hoff said.

For consumers, reaching that bar is difficult because illegal credit transactions made in a breach are waived, thereby costing them nothing. To protect themselves, corporations also immediately offer cardholders free credit monitoring, usually for about a year.

But Mattord argued that companies have themselves to blame for having to play defense.

“The challenge the defendants have is they have been told the liability exists and they have tried to wish it away,” he said. “Every business executive is in denial from the exact risk they face from these liabilities.”

With that in mind, the trend for most companies is to try to get out in front of a breach, said John Kloecker, an attorney in the Chicago office of law firm Locke Lord. With more at stake than the loss of money paid in settlements, corporate leaders are learning that they have be upfront with as much information as possible.

“The worst thing a company can do is deliver the news in small doses,” he said.