Data breach settlement approved in Canadian class action lawsuit against Home Depot

An Ontario court recently approved a settlement in a class action lawsuit against Home Depot of Canada, Inc. and its corporate parent arising from a data breach in 2014 that affected its payment card system.

Class action lawsuits were filed in Saskatchewan and Ontario.

Total counsel fee requested by the plaintiffs’ law firms was nearly $407,000 and there was no evidence that any plaintiffs absorbed a fraudulent credit card charge.

A settlement agreement was signed earlier this year and “the court in Saskatchewan was advised that the settlement approval motions would proceed in the Ontario action,” Mr. Justice Paul Perell of the Ontario Superior Court of Justice wrote in his ruling released Aug. 29. “Practically speaking, the Saskatchewan action has been stayed for a national class action in Ontario.”

In Ontario, Justice Perell approved the settlement, valuing it at about $400,000 to the settlement class members. He did not approve a part of the settlement granting honouraria to representative plaintiffs. He also approved counsel fee of $120,000 less than a third of what plaintiffs’ lawyers asked for and about one third of what Home Depot agreed to.

Home Depot denies any wrongdoing.

“Between April 11, 2014 and September 13, 2014, there was a data breach at Home Depot,” Justice Perell wrote. “Its payment card system was hacked by criminal intruders using custom-built malware to clandestinely breach Home Depot’s computer system.”

Related: Home Depot says hackers got access via vendor, also stole 53 million customer email addresses

He added there is “no evidence that a Class Member absorbed a fraudulent charge.”

As part of the settlement agreement in Canada, Home Depot agreed, among other things, to create a non-reversionary fund of $250,000 “for the documented claims of Canadians whose payment card information and/or email address was compromised as a result of the data breach during the data breach period.”

In Saskatchewan, the proposed class initially included “individuals in Canada, who suffered harm, inconveniences, economic losses, mental distress or other losses as a result of a privacy breach, who are and were at all material times owners of or otherwise beneficially entitled to deal with certain information of a confidential character, both personal and financial.”

But that class was overly inclusive “because not all credit or debit card purchasers were affected by the data breach at Home Depot,” Justice Perell noted. “In actuality, the only affected purchasers were those that used their payment card by swiping its magnetic chip through the card reader at self-checkout terminals (a ‘SCO’ terminal) that had been infected by the malware.”

Home Depot customers “with ‘chip’ technology that ‘dipped’ their cards at the reader and entered a PIN were not affected,” Justice Perell added.

One expert witness for the class action in Saskatchewan was Norman Archer, owner of the consulting firm EC Innovations, who has a PhD in physics and is a professor emeritus of information systems for McMaster University’s DeGroote School of Business.

In an affidavit, Archer “deposed that the data breach was preventable, but during cross-examination, he admitted that he was just speculating and that data breaches are not unpreventable,” Justice Perell wrote. A Home Depot expert witness – Telus Corp. security solutions director René Hamel – “testified that despite utmost diligence and efforts to prevent data breaches, companies remain vulnerable because hackers continually develop new malicious code and the game of cat and mouse continues,” Justice Perell wrote.

Related: Home Depot faces dozens of lawsuits over data breach that hit debit and credit cards

Hamel “deposed that the occurrence of a data breach is not proof of a lack of care and of not having taken appropriate preventative measures,” Justice Perell added. “Home Depot was building a very strong case that it had done nothing wrong and there was mounting evidence that no Class Member had in fact been injured.”

On behalf of the plaintiffs, Archer “outlined three heads of damage to consumers from a payment card breach,” Justice Perell added.  The first is “the risk of a fraudulent charge on one’s credit card.” The second is “the risk of identity theft” and the third is “the inconvenience of checking one’s credit card statements.”

He added there is “little risk of fraudulent charges because of sophisticated safeguards developed by credit card companies. Moreover, when there are frauds, the losses are almost always absorbed by the credit card company or the retailer. The credit card companies are not Class Members.

Court records indicate that Merchant Law Group requested counsel fee of nearly $239,000 and McPhadden Samac Tuovi LLP requested counsel fee of more than $121,000.

McPhadden Samac Tuovi’s contingency fee is “35% of the amounts recovered under any Judgment(s), Awards(s), or Settlement(s), (including damages and interest) or on the basis of a multiplier of 3 times the ‘Base Fee’, whichever is higher.”

Justice Perell approved total counsel fee of $120,000 to both firms.

“What might be champertous legal fees in other circumstances is permitted in a class action, but the court is charged with the responsibility of ensuring that the fees are consistent with the values and purposes of the class action regime, which is designed primarily as a means to access to justice for real clients, even recruited ones,” Justice Perell wrote. “And while class counsel should be compensated for taking on the risk of their client’s case, in approving class counsel’s fees the court should not approve the fee simply because a class counsel was prepared to take on the risk.”

Justice Perell added: “The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behaviour modification. Home Depot’s voluntarily-offered package of benefits to its customers is superior to the package of benefits achieved in the class actions.”