Data Breach Settlements Announced

Washington, DCTwo large-scale data breach settlements have been announced, one involving Home Depot lawsuits and the other involving claims made by the Federal Trade Commission against Wyndham Hotels. Both involved situations in which hackers illegally obtained the payment information of customers, with plaintiffs alleging serious failures on the part of the defendants. In recent years, lawsuits have been filed against numerous companies alleging those companies failed to adequately protect personal information.

Recently, Target agreed to pay $39 million to financial institutions including MasterCard and banks, linked to a data breach in which hackers obtained access to 40 million credit and debit card numbers. According to reports, Target allegedly knew about the data breach for 12 days but failed to take appropriate action on it. According to EndGadget (12/2/15), Target has already agreed to pay $67 million to Visa and $10 million to individual consumers who were affected by the breach.

Lawsuits were filed by individuals against Target in 2013, alleging consumer information was stolen between November 27 and December 15, 2013. Plaintiffs claimed Target was negligent in failing to implement and maintain reasonable security measures to protect customer information. In 2015, a settlement was announced, with customers who have documentation of their losses being eligible for up to $10,000 in damages. Customers who cannot document their losses will be paid out of the remainder of a fund.

Meanwhile, Wyndham Hotels and Resorts has agreed to settle claims from the FTC that the company “unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches,” according to a news release from the FTC. The settlement does not require Wyndham to admit liability, nor will Wyndham have to pay damages to the FTC.

Rather, the settlement requires the company to “establish a comprehensive information security program designed to protect cardholder data - including payment card numbers, names and expiration dates.” Wyndham will also be required to conduct yearly security audits.

The FTC filed its complaint against Wyndham after the company faced three security breaches within two years, which the FTC alleged resulted in “millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”

According to the FTC’s initial complaint, Wyndham failed to take security measures, including firewalls and network segmentation, and complex user IDs. More than 500,000 payment card accounts were reported compromised in the data breaches.

Consumers whose personal information is compromised due to inadequate security measures on the part of businesses or other organizations may be able to file a lawsuit to recover money lost to fraud or damages linked to identity theft.