(Updates costs associated with breach, paragraph 10)
By Jonathan Stempel
March 8 (Reuters) - Home Depot Inc (NYSE:HD) HD.N agreed to pay at
least $19.5 million to compensate U.S. consumers harmed by a
2014 data breach affecting more than 50 million cardholders.
The home improvement retailer will set up a $13 million fund
to reimburse shoppers for out-of-pocket losses, and spend at
least $6.5 million to fund 1-1/2 years of cardholder identity
protection services.
Home Depot also agreed to improve data security over a
two-year period, and hire a chief information security officer
to oversee its progress. It will separately pay legal fees and
related costs for affected consumers.
Terms of the preliminary settlement were disclosed in papers
filed on Monday with the federal court in Atlanta, where Home
Depot is based.
Home Depot did not admit wrongdoing or liability in agreeing
to settle. The settlement requires court approval.
"We wanted to put the litigation behind us, and this was the
most expeditious path," spokesman Stephen Holmes said.
"Customers were never responsible for any fraudulent charges."
Home Depot has said the breach affected people who used
payment cards on its self-checkout terminals in U.S. and
Canadian stores between April and September 2014.
It has said the intruder used a vendor's user name and
password to infiltrate its computer network, and used
custom-built malware to access shoppers' payment card
information.
The accord covers about 40 million people who had payment
card data stolen, and 52 million to 53 million people who had
email addresses stolen, with some overlap between the groups.
Home Depot said it has booked $161 million of pre-tax
expenses for the breach, including for the consumer settlement,
and after accounting for expected insurance proceeds.
Lawyers for the consumers said the accord compares
"favorably" with other data breach class actions, including
Target Corp (NYSE:TGT)'s TGT.N $10 million settlement over a 2013 data
breach that compromised at least 40 million cards.
Legal fees and costs for the lawyers could top $8.7 million,
court papers showed.
At least 57 proposed class action lawsuits were filed in
U.S. and Canadian courts over the data breach. The U.S. cases
were consolidated in the Atlanta court.
The case is In re: Home Depot Inc Customer Data Security
Breach Litigation, U.S. District Court, Northern District of
Georgia, No. 14-md-02583.