In the aftermath of major data breaches at deep-pocketed retailers and other businesses, there is typically no shortage of litigants who move quickly to seek compensation from the business at which the breach occurred. But whether the would-be plaintiffs’ claims get very far in court often depends on whether those plaintiffs are individual consumers, or financial institutions. Consumers typically do not fare well, because courts regularly conclude that their losses resulting from fraud are covered in full by banks. By contrast, financial institution generally succeed in defeating motions to dismiss on data breach-related claims, because they can point to the costs of steps that they have to take to cover cardholders’ losses, and to re-issue customer credit or debit cards.
Now Home Depot is trying to ensure that banks, like individual consumers, have little recourse in court against businesses that suffer data breaches. On July 5, the company asked a federal judge in the Northern District of Georgia to certify for interlocutory appeal his May order preserving the great majority of claims brought by a proposed class of financial institutions and credit unions against Home Depot in multidistrict litigation arising from its 2014 data breach. Home Depot argued that the ruling raised at least six novel questions of law that would benefit from immediate resolution, including whether financial institutions have Article III standing to assert claims arising out of a data breach, whether retailers owe banks a duty to protect against third-party criminal hacks, and whether financial institutions can bring negligence claims based on an alleged violation of Section 5 of the Federal Trade Commission Act. Continue Reading