Litigation

Home Depot Moves to Dismiss Data Breach Class Action

Published: Oct. 17, 2014

Updated: Oct. 05, 2020

Recently, Home Depot moved to dismiss one of the more than a dozen class action lawsuits filed against it following a revelation last month that its payment data system was breached. Home Depot’s motion illustrates many of the common arguments companies suffering breaches make when responding to the inevitable subsequent lawsuits.

The lawsuit, filed by two named plaintiffs just two days after news of the Home Depot breach became public, asserts claims under the data breach statutes of nearly 40 states as well as various common law claims. One of the plaintiffs alleges that his debit card was unlawfully used to make a fraudulent purchase of $49.95 during the period the breach was alleged to be ongoing. The other plaintiff does not allege any fraudulent use of his payment card, asserting instead that the breach harmed him because he now faces an imminent and certainly impending threat of future additional harm due to the increased threat of identity theft and fraud.

Home Depot moved to dismiss the lawsuit on several grounds. First, Home Depot argued that the plaintiffs lacked Article III standing. In doing so, Home Depot pointed to the Supreme Court’s recent decision in Clapper, which reiterated that to satisfy Article III standing, the “threatened injury must be certainly impending to constitute injury-in-fact and that [a]llegations of possible future injury are not sufficient” to confer standing. Home Depot also pointed to federal court decisions in data breach lawsuits across the country, including a recent decision from neighboring Alabama, finding that the threat of future identity theft or fraud does not create Article III standing. With respect to the plaintiff who alleged his card was improperly used, Home Depot argued that he still lacked standing because he did not sufficiently allege that his bank (or Home Depot) would not reimburse him for the charge, or that the improper charge was the result of the Home Depot breach. According to Home Depot, his “simplistic allegation that he incurred a single fraudulent charge two days before he filed suit (and for which he apparently incurred no personal loss) is simply insufficient to support a plausible inference that he has suffered an injury or faces a certainly impending threat of actual identity theft or injury.” Home Depot further argued that both plaintiffs lacked standing to assert any claims under the data breach laws of states in which they did not reside.

Home Depot then argued that even if plaintiffs had standing, the complaint should be dismissed for failure to state a claim upon which relief can be granted. Home Depot argued that plaintiffs could not state a claim under Georgia’s data breach statute because the statute does not allow for a private right of action, and because Home Depot is not a “data collector” or “information broker” covered by the statute.

Home Depot also sought dismissal of all the common law claims, arguing that:

  • plaintiffs’ negligence claims failed because plaintiffs did not adequately allege an injury resulting from Home Depot’s alleged negligence and because the economic-loss doctrine, which limits a consumer to contractual remedies when the only loss they seek to recover is economic and not physical, bars such claims;
  • plaintiffs’ breach of implied contract claim failed because plaintiffs have not identified anything Home Depot said or did “to manifest an intent to enter into an agreement to protect their payment card data,” and because plaintiffs have no injury;
  • plaintiffs’ bailment claims failed because “[c]ourts in every prior data-breach case to consider a similar claim have concluded that providing payment information in a purchase transaction does not create a bailment;” and
  • plaintiffs’ unjust enrichment claims failed because they failed to adequately allege that Home Depot obtained a benefit from them without paying for it. In doing so, Home Depot argued that to the extent plaintiffs’ unjust enrichment claim was based on a “would not purchase” theory, it should be rejected because they received the product and thus obtained the benefit of the bargain.

Photo by Scott Lewis from Flickr