In the latest settlement of legal claims arising out of a massive 2014 data breach at Home Depot, the retailer has agreed to pay $27.25 million to affected financial institutions.
Banks that file valid claims will get a “fixed payment award” of about $2 per compromised payment card without having to prove their losses, even if they have received compensation from another source.
Those that can prove their losses may get an additional “documented damages award” of up to 60% of their uncompensated costs, according to the settlement documents.
“Credit unions and their members have unfortunately borne the brunt of lax merchant data security standards,” Jim Nussle, chief executive of the Credit Union National Association, said in a news release. “This settlement would be a step toward making them whole again.”
Home Depot disclosed in September 2014 that hackers stole payment card data from customers who made purchases at self-checkout terminals between April 10, 2014, and Sept. 13, 2014. The hackers also stole a separate file of customer email addresses.
In addition to the class action settlement announced this week, Home Depot has paid at least $134.5 million in compensation to consortia made up of Visa, MasterCard, and various banks. Consumers last year received a $19 million settlement that included a $13 million cash fund as well as $6 million in credit monitoring services.
“The discrepancy between the payments to consumers and banks arises because the latter can show clear damages from the breach, such as fraudulent transactions and lost credit card fees,” Fortune explained. “Consumers, on the other hand, were made good for any unauthorized purchases.”
For Home Depot, the cost of the breach is at least $179 million, according to court documents. “The final total, though, is likely to be much higher because of legal fees and any other undisclosed payouts,” Fortune said.
As part of the latest settlement, Home Depot also agreed to track and manage its data security risk assessments using a risk-exception process, conduct annual reviews of service providers and vendors that have access to payment card information, and create a security-control framework.