On September 22, 2017, U.S. District Judge Thomas W. Thrash granted final approval of a $25 million settlement between Home Depot, the country’s fourth-largest retailer, and banks and financial institutions that issued more than 56 million debit and credit cards to Home Depot patrons. As a part of the settlement, Home Depot is required to strengthen its data security practices and systems. 

Andrew Friedman, Co-Chair of Cohen Milstein's Consumer Practice, served on the Plaintiffs’ Steering Committee (PSC) for the Financial Institution portion of the Multidistrict litigation (MDL).

Case Background

In September 2014, Home Depot confirmed that as early as April 2014, nearly 2,200 U.S. and Canadian stores and their “in-store” credit and debit card processing systems were the target of a cyber security breach that had affected numerous U.S. retailers, including Target, Neiman Marcus, and others. Perpetrators allegedly siphoned off customer payment information and distributed it through nefarious channels. Home Depot allegedly became aware of the breach in August, after banks and law enforcement notified them of a potential breach.

On November 13, 2014 Cohen Milstein filed a class action complaint, alleging that Home Depot’s negligent security protocols resulted in the massive data breach that subsequently harmed customers and the banks and financial institutions that service those patrons.  The data breach compromised 56 million credit and debit card numbers. 

After Cohen Milstein’s class action was joined with other cases pending before the Northern District of Georgia as a Multi-District Litigation (MDL), Mr. Friedman was appointed by the Court to Plaintiffs’ Steering Committee.  As a member of that Committee he headed the expert team which, among other things, devised a novel theory for calculating class-wide damages amongst the financial institutions impacted by the breach. The litigation resulted in a $25 million settlement on behalf of financial institutions.

The MDL is named: In re: The Home Depot Inc. Customer Data Security Breach Litigation, Case No.1:14-md-02583, U.S. District Court, Northern District of Georgia.