Dealing with a data breach: key takeaways from the Home Depot class action

The Ontario Superior Court of Justice recently approved a settlement agreement in the Lozanski v The Home Depot class action,¹ a decision which highlights the fact that adequate protection and response to a breach can reduce the legal risks after a data breach. This class action was filed following a card payment system breach that gave hackers access to personal information of customers such as names, credit card numbers, expiration dates and verification value codes from Home Depot’s card payment system for six months.

The key takeaway of this decision is Justice Perell’s conclusion that Home Depot’s potential liability was in the range of negligible to remote based on its very timely and thorough response to the breach, the fact it had spent several millions dollars to address the privacy concerns of its customers and the fact it could not be blamed for its occurrence. The court also noted the lack of significant damages suffered by the plaintiffs.

Lack of significant damage

In order to justify their fees, class counsel submitted that the settlement was worth over $1 million in benefits to the class members. However, after having reminded the parties that the fee approval needs to be viewed namely through the lens of a judicial economy and because Home Depot had good arguments that it ought not to have been the subject of a class action at all, the Honorable Justice Perell reassessed the value of the settlement in favour of the class members. To do so, he analyzed the three heads of damages raised by the plaintiff as a result of the card payment system breach: (1) The risk of a fraudulent charge on one’s credit card; (2) the risk of identity theft; and (3) the inconvenience of checking one’s credit card statements.

He considered that the proof of any consequent damage was in the range of negligible to remote. On the first and second heads of damages, there was no evidence that any class member had suffered a fraudulent charge or that the data breach increased the risk of identity theft given that the stolen data was insufficient for this purpose. With regard to the last head of damages, Justice Perell considered that there was no inconvenience damages because credit card holders are already obliged to check their statements for fraudulent purchases.

The Quebec Superior Court had applied the same reasoning in the cases Sofio c. Organisme canadien de réglementation du commerce des valeurs mobilières² and Mazzonna v DaimlerChrysler Financial Services Canada Inc.³ The courts stated that monitoring account statements for fraudulent activity is an ordinary inconvenience that is part of the cardholder’s daily activities and does not warrant compensation. They both relied on the Supreme Court case in Mustapha c. Culligan du Canada Ltée⁴ in which it was decided that compensable injury must be serious and prolonged and rise above the ordinary annoyances, anxieties and fears that people living in society routinely accept.

Home Depot’s response

A decisive factor of the settlement approval was Home Depot’s response following the data breach. The court considered Home Depot’s response to be “responsible, prompt, generous and exemplary.” They issued a timely press release, sent informative emails to customers and offered free credit monitoring and identity theft insurance. In view of Home Depot's thorough and transparent response, Justice Perell mentioned that he would have approved a discontinuance of Mr. Lozanski’s proposed class action.

Accordingly, considering that a discontinuance would have provided no benefits to the class members, he easily concluded that the settlement, which at best was worth approximately $400,000, could be approved as being fair, reasonable and in the best interests of class members.

Regarding the fee approval, Justice Perell underlined the fact that it has to be viewed through the lens of access to justice, behaviour modification and judicial economy. Yet, there was no reason to think that Home Depot needed to bring any behavioural modification. After the data breach was discovered, there was no cover-up on Home Depot’s part and it responded as a “good corporate citizen” in light of the breach. Based on this evaluation of class members’ benefits, the court reduced the agreed-upon counsel fee from $406,800 to $120,000.

Our take

The Home Depot class action highlights that adequate prevention, detection and response can significantly mitigate the legal risks and liability that may result from data breaches. Preventive and compensatory measures are recognized by the courts as means of mitigating or eliminating potential damages.

The author wishes to thank articling student Camille Nadeau for her help in preparing this legal update.

Footnotes

¹ 2016 ONSC 5447.

² 2014 QCCS 4061.

³ 2012 QCCS 958.

⁴ 2008 CSC 27.