On July 1, 2015, Home Depot filed a Motion to Dismiss the Financial Institution Plaintiffs’ class action lawsuit filed in the District Court for the Northern District of Georgia. The class action is based on the breach suffered by Home Depot when hackers accessed Home Depot’s payment data systems using the credentials of third-party vendors in April of 2014. Once gaining access to Home Depot’s systems, the hackers installed malware on Home Depot’s self check out registers and stole customers’ payment information.
No Standing to Bring Suit
As seen in other litigation related to data breaches, Home Depot argues the class action should be dismissed because “[n]o bank has identified any specific loss or injury, and the vast majority of the general categories of losses alleged were – by the Banks’ own admission – incurred by them when ‘taking steps to prevent future fraud.’” This argument has been successful for many data breach defendants. Specifically, Home Depot argues the Financial Institution’s allegations are limited to losses when they had to cancel and reissue cards after the breach, shut down accounts, notify customers and investigate fraud. That is, Home Depot is arguing the Financial Institutions lack standing because their damages are limited to costs they may incur in the future.
As seen in other data breach litigation, Home Depot also contends that a series of complex contracts among various banks require the Financial Institutions to look elsewhere for its damages. Home Depot’s argument is that the Financial Institutions issued its payment cards (the Issuers) under contracts with other banks that handle the purchases with the payment cards (the Acquirers). And, as part of the contracts, the Issuers must follow certain procedures to be reimbursed for their costs generally referred to as “the Card Brand Recovery Process.” In turn, the Acquirers can seek indemnification for costs incurred in “the Card Brand Recovery Process” from the merchant. Target made this argument in its motion to dismiss claims brought by banks related to its data breach.
Home Depot asserts that the Financial Institutions’ claims should be denied because they lack standing under the reasoning in the U.S. Supreme Court’s decision in Clapper v. Amnesty Int’l USA. In particular, Home Depot relies onClapper for the proposition that “[n]ot just any financial loss or injury will suffice to confer standing. Rather, to satisfy Article III, an injury must be “fairly traceable to the challenged action.” And, in support of its Motion to Dismiss, Home Depot argues the Financial Institutions lack standing because the banks have not “identified a ‘concrete particularized’ injury” and protection against future harm does not create standing.
Negligence Claims Fail as a Matter Of Law
Additionally, Home Depot argues the Financial Institutions’ negligence claims should be dismissed, even if they can establish standing, because the Economic Loss Rule bars recovery. In general, the Economic Loss Rule holds there is “no recovery in tort for economic losses unless they result from injury to person or property.” Home Depot asserts the Financial Institutions’ claims are barred by the Economic Loss Rule because its claimed damages incurred “from intentional conduct and steps the Banks took to mitigate the risk of possible future harm.”
Home Depot also seeks dismissal of the Financial Institutions’ negligence causes of action because, under Georgia law, “there is no legal duty to anticipate criminal acts of third parties or to control the conduct of those parties.” Under this theory, Home Depot argues it cannot be held liable when there is “no common law duty to safeguard personal information under Georgia law.”
The Target Decision Should Shed Light on Home Depot’s Arguments
The litigation related to the Target data breach will undoubtedly provide guidance on the issues presented by Home Depot’s Motion to Dismiss. In the Targetlitigation, the District Court for Minnesota held the Financial Institutions’ action survived Target’s Motion to Dismiss. Therefore, we expect the Georgia District Court to address the Target decision by either adopting the reasoning of the Minnesota District Court or distinguishing Home Depot’s breach from Target’s breach.