LAKEWOOD, N.Y., and NEWCASTLE, Pa. (9/25/14)--Two Northeastern credit unions have filed a pair of lawsuits against Home Depot, alleging that financial institutions nationwide have suffered millions of dollars in damages as a result of the data breach that befell the home improvement retail chain recently (Daily Report Sept. 23).
The suits, likely headed for class action status that would include both banks and credit unions, both claim that personal payment data from an estimated 56 million consumers were compromised and accessible to cybercriminals for more than five months before Home Depot learned of the incident.
One of the suits further alleges that Home Depot knew about the data breach for a week before it publicly announced the incident had occurred. (See related story: Jimmy John's: Vendor data breach impacts 216 stores.)
Southern Chautauqua FCU, Lakewood, N.Y., with $61 million in assets, and First Choice FCU, Newcastle, Pa., with $39 million in assets, filed the lawsuits in Atlanta last week. The suits are likely to be the first of many that will be brought against Home Depot in the coming months.
"There seems to be a consensus that tens of millions of cards are impacted," said W. Pitts Carr, the attorney representing Southern Chautauqua (Daily Report). "The major issue is who will be responsible for the enormous cost associated with cybercrimes--the retailers where the problem manifests itself, or the banks that have no control over what goes on at the retailer (level)?"
The Credit Union National Association continues to urge Congress to pass legislation that would ratchet up data security standards for merchants, who are not beholden to the same standards that financial institutions must meet.
The widely publicized Target breach that was revealed in December 2013 cost credit unions alone roughly $30.6 million, according to CUNA estimates. That breach also resulted in credit unions reissuing about 4.6 million credit and debit cards.
As was the case in the aftermath of the Target breach, CUNA will work to bring together credit unions looking for legal representation and law firms looking for cases in the data security field to facilitate lawsuits, according to Eric Richard, CUNA general counsel.
CUNA is also working with key industry workgroups to help promote better data security for merchants and to represent credit union interests. These include the Payments Security Task Force, led by Visa and MasterCard, and additional payments and data security workgroups with the major financial services trade associations.
The lawsuits filed by the two credit unions last week claim consumer names, credit and debit card numbers, expiration dates, verification numbers and the states and ZIP codes associated with every card transaction in more than 2,000 stores were exposed.
In light of recent attacks on other large retailers, the Home Depot breach should never have happened, the attorney representing First Choice said.
"It is simply unacceptable that Home Depot allowed this to happen," said Gary Lynch, partner at Carlson Lynch Sweet & Kipela in Pittsburgh. "And if it's true that they didn't detect the hack for four months, that's even worse."
The credit unions are seeking at least $5 million apiece in damages. Their attorneys say the breach may have cost financial institutions across the United States hundreds of millions of dollars.