Home Depot Already Faces Breach Lawsuit

Home Depot has been hit with a class action lawsuit stemming from a suspected data breach at the home improvement retailer (see: Update: Home Depot Breach Investigation).

See Also: The Alarming Data Security Vulnerabilities Within Many Enterprises

While one legal expert portrays the lawsuit as premature, because the investigation is still under way, another says the filing was made because it's highly likely the breach will be confirmed.

The lawsuit, filed Sept. 4 in the U.S. District Court for the Northern District of Georgia, alleges that the retailer failed to meet its legal obligation to protect customers' credit card and personal information. It also accuses Home Depot of not notifying its customers about the alleged breach, with the facts only coming out following revelations of a potential incident by security blogger Brian Krebs.

"Unfortunately, the assailants compromised personal and/or financial information for hundreds of thousands, if not millions of individuals in the attack, potentially making it one of [the] largest data breaches in the history of the world," the complaint alleges.

The lawsuit lists two plaintiffs who shopped at Home Depot stores and used their payment cards during the time of the suspected breach. One of the plaintiffs says they experienced $50 in fraud losses in the days following a purchase at Home Depot.

The legal action, which seeks unspecified damages, alleges negligence as well as violations of 38 state data breach statutes.

Attorneys representing the plaintiffs did not immediately respond to a request for additional information.

A spokesperson for Home Depot says it's "premature to comment" on the litigation. The retailer says it is continuing to work with its banking partners and law enforcement to investigate the suspected breach.

Analyzing the Lawsuit

Joseph Burton, partner for the San Francisco office of the law firm Duane Morris, questions the timing of the lawsuit. "You have to have a lot of questions about a lawsuit that's filed where there's been virtually no information about the nature or the cause of the breach," he says.

Perhaps, he says, the plaintiffs have information that the public does not. "But based on what's publicly available, it's difficult to understand the basis of such a lawsuit."

The likelihood of the lawsuit being successful is slim, Burton contends. "Almost all the [breach] lawsuits historically up to now that have been filed have not led to successful conclusions short of a settlement," he says. "I don't see why this would be any different."

But Francoise Gilbert, founder and managing director of the IT Law Group, notes: "Class action litigation is a big business where it is useful to position oneself as the first to file. Thus, there is an incentive for class action law firms to react quickly to the news of a particular event. In this case, according to press reports, the likelihood that a breach occurred appears to be quite high, hence the filing."