IN THE UNITED STATES DISTRICT COURT NORTHERN...

108709

IN THE UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA

ATLANTA DIVISION

In re: The Home Depot, Inc. Customer Data Breach Litigation This Document Relates to: All Financial Institution Cases

)))))))

MDL No. 14-02583-TWT

FINANCIAL INSTITUTION PLAINTIFFS’ MEMORANDUM IN OPPOSITION TO HOME DEPOT’S MOTION TO DISMISS

“If we rewind the tape, our security systems could have been better… Data security just wasn’t high enough

in our mission statement.”

Frank Blake, Home Depot’s recently retired Chief Executive Officer and Current Chairman of the Board

Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 of 68

i

TABLE OF CONTENTS

PAGE �

INTRODUCTION ..................................................................................................... 1�

FACTUAL BACKGROUND .................................................................................... 4�

ARGUMENT AND CITATION OF AUTHORITY ................................................. 7�

I.� ARTICLE III STANDING EXISTS ..................................................... 7�

A.� Plaintiffs Suffered Concrete Injuries, Traceable to Home Depot, That Can Be Redressed by a Judgment in Their Favor .............................................................................. 7�

B.� Home Depot’s Standing Arguments are Meritless ..................... 9�

1.� Each Plaintiff Has Sufficiently Alleged a Concrete Injury ................................................................. 9�

2.� Mitigation Costs Incurred by Plaintiffs Confer Standing .......................................................................... 11�

3.� Lost Card Value Constitutes an Injury-in-Fact .............. 14�

II.� PLAINTIFFS ADEQUATELY PLEAD NEGLIGENCE CLAIMS .............................................................................................. 15�

A.� The Economic Loss Rule Does Not Bar the Negligence Claims .................................................................... 15�

B.� Home Depot Owed a Legal Duty to Plaintiffs .......................... 21�

C.� Plaintiffs Allege that the Criminal Acts Were Foreseeable ................................................................................ 27�

D.� Plaintiffs Adequately Plead a Negligence Per Se Claim ......................................................................................... 28�


ii

III.� PLAINTIFFS STATE VALID CLAIMS FOR EQUITABLE RELIEF ............................................................................................... 33�

IV.� PLAINTIFFS ADEQUATELY ALLEGE STATUTORY CLAIMS .............................................................................................. 37�

A.� Plaintiffs Have Standing to Assert Statutory Claims. ............... 37�

B.� Plaintiffs Have Alleged an Unfair Practice Under Each Statute. .............................................................................. 38�

C.� Plaintiffs Plead All Essential Elements of Each Statute. ....................................................................................... 39�

V.� PLAINTIFFS’ CLAIMS ARE RIPE .................................................. 47�

CONCLUSION ........................................................................................................ 50�


iii

TABLE OF AUTHORITIES PAGE

Cases

Aetna Life Ins. Co. of Hartford, Conn. v. Haworth, 300 U.S. 227 (1937) ............................................................................................ 48

Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046 (E.D. Mo. 2009) .............................................................. 27

Amick v. BM & KM, Inc., 275 F. Supp. 2d 1378 (N.D. Ga. 2003) ............................................................... 28

Anderson v. City of Alpharetta, 770 F.2d 1575 (11th Cir. 1985) .......................................................................... 15

Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) .................................................................. 12, 13, 27

Arcia v. Fla. Sec'y of State, 772 F.3d 1335 (11th Cir. 2014) .......................................................................... 37

Argonaut Midwest Ins. Co. v. McNeilus Truck & Mfg., Inc., No. 1:11-cv-3495, 2013 WL 489141 (N.D. Ga. Feb. 8, 2013) .......................... 17

Ashcroft v. Iqbal, 556 U.S. 662 (2009) .............................................................................................. 7

Atlanta & W. Point R.R. Co. v. Underwood, 126 S.E.2d 785 (Ga. 1962) ................................................................................. 33

Banknorth, N.A. v. BJ's Wholesale Club, Inc., 394 F. Supp. 2d 283 (D. Me. 2005) ................................................. 16, 20, 23, 48

Bans Pasta, LLC v. Mirko Franchising, LLC, No. 7:13-cv-00360-JCT, 2014 WL 637762 (W.D. Va. Feb. 12, 2014) ...... 29, 31

Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) .............................................................................................. 7


iv

Bishop v. Shorter Univ., Inc., No. 4:15-CV-00033-HLM (N.D. Ga. June 4, 2015) ..................... 1, 3, 15, 21, 27

BJ's Wholesale Club, 140 F.T.C. 465 (2005) ........................................................................................ 38

Blake v. Fed. Way Cycle Ctr., 698 P.2d 578 (Wash. Ct. App. 1985) .................................................................. 46

Blizzard Entm't, Inc. v. Ceiling Fan Software LLC, 28 F. Supp. 3d 1006 (C.D. Cal. 2013) ................................................................ 41

Bolin v. Story, 225 F.3d 1234 (11th Cir. 2000) .......................................................................... 35

Bradley Ctr., Inc. v. Wessner, 296 S.E.2d 693 (Ga. 1982) ................................................................................. 21

Brock v. Avery Co., 110 S.E.2d 112 (Ga. Ct. App. 1959) ................................................................... 24

CardSystems Solutions, Inc., No. C-4168, 2006 WL 2709787 (F.T.C. Sep. 5, 2006) ...................................... 38

Cel-Tech Commc'ns, Inc. v. L.A. Cellular Tel. Co., 973 P.2d 527 (Cal. 1999) .................................................................................... 40

Chabner v. United of Omaha Life Ins. Co., 225 F.3d 1042 (9th Cir. 2000) ............................................................................ 41

Citizens Bank of Pa. v. Reimbursement Techs., Inc., No. 12-1169, 2014 WL 2738220 (E.D. Pa. 2014) .............................................. 26

City of Atlanta v. Benator, 714 S.E.2d 109 (Ga. Ct. App. 2011) ................................................................... 19

Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013) ............................................................................. 7, 11, 12

Corbitt v. Walgreen Co., No. 7:14-CV-17 (MTT), 2015 WL 1726011 (M.D. Ga. Apr. 15, 2015) .... 21, 22


v

Cumis Ins. Soc'y, Inc. v. Merrick Bank Corp., No. CIV 07-374, 2008 WL 4277877 (D. Ariz. Sept. 18, 2008) ......................... 18

Dekalb Cnty. v. HSBC N. Am. Holdings, Inc., No. 1:12-CV-03640-SCJ, 2013 WL 7874104 (N.D. Ga. Sept. 25,

2013) ................................................................................................................... 47

Dempsey v. Joe Pignataro Chevrolet, Inc., 589 P.2d 1265 (Wash. Ct. App. 1979) ................................................................ 46

Downes-Patterson Corp. v. First National Supermarkets, Inc., 780 A.2d 967 (Conn. App. Ct. 2001) ................................................................. 42

Edmunds v. Cowan, 386 S.E. 2d 39 (Ga. Ct. App. 1989) ................................................................... 27

Erickson v. Pardus, 551 U.S. 89 (2007) ................................................................................................ 7

FEC v. Lance, 635 F.2d 1132 (5th Cir. 1981) ............................................................................ 48

Forum Architects LLC v. Candela, No. 1:07cv190/SPM/AK, 2008 WL 5101779 (N.D. Fla. Nov. 26, 2008) ................................................................................................................... 48

FTC v. Kitco of Nevada, Inc., 612 F. Supp. 1282 (D. Minn. 1985) .................................................................... 32

FTC v. Sperry & Hutchinson Co., 405 U.S. 233 (1972) ............................................................................................ 32

FTC v. World Wide Factors, Ltd., 882 F.2d 344 (9th Cir. 1989) .............................................................................. 32

FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014) .................................................... 24, 30, 32, 38

Galaria v. Nationwide Mutual Insurance Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014) ............................................................... 14


vi

Garrett v. RentGrow, Inc., No. 04 C 8309, 2005 WL 1563162 (N.D. Ill. July 1, 2005) .............................. 43

Gemtel Corp. v. Cmty. Redev. Agency of L.A., 23 F.3d 1542 (9th Cir. 1994) .............................................................................. 48

General Electric Co. v. Lowe’s Home Centers, Inc., 608 S.E.2d 636 (Ga. 2005) .......................................................................... 18, 19

Giordano v. Wachovia Sec., LLC, 2006 WL 2177036 (D.N.J. July 31, 2006) ......................................................... 14

Green v. Ebay Inc., No. 14-1688, 2015 WL 2066531 (E.D. La. May 4, 2015) ................................. 13

Hanover Ins. Co. v. Hermosa Constr. Group, LLC, 57 F. Supp. 3d 1389 (N.D. Ga. 2014) .................................................... 16, 17, 18

Heartland, 834 F. Supp. 2d at 604 ........................................................................................ 43

Hodges v. Putzel Elec. Contractors, 580 S.E.2d 243 (Ga. Ct. App. 2003) ................................................................... 22

Holbrook v. Exec. Conference Ctr., Inc., 464 S.E.2d 398 (Ga. Ct. App. 1995) ................................................................... 31

Hunt v. Wash. State Apple Adver. Comm'n, 432 U.S. 333 (1977) ............................................................................................ 36

Iconix, Inc. v. Tokuda, 457 F. Supp. 2d 969 (N.D. Cal. 2006) ................................................................ 41

In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Ca. 2014) ........ 8, 9, 10, 11, 12, 14, 34, 35, 38, 40, 41

In re Atlas Roofing Corp. Chalet Shingle Products Liability Litigation, No. 1:13-md-2495-TWT, 2015 WL 114285 (N.D. Ga. Jan. 8, 2015) ................ 36

In re Facebook Privacy Litig., 572 Fed. App'x 494 (9th Cir. 2014) .................................................................... 14


vii

In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108 (D. Me. 2009), aff'd in part, rev'd in part on other grounds, Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) ........................................................................ 23, 26

In re Heartland Payment Sys. Inc. Customer Data Breach Sec. Litig., 834 F. Supp. 2d 566 (S.D. Tex. 2011) ................................................................ 43

In re Managed Care Litig., 298 F. Supp. 2d 1259 (S.D. Fla. 2003) ............................................................... 36

In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518 (N.D. Ill. 2011) ........................................................... 43, 44

In re Science Applications International Corp (SAIC) Backup Tape Data Theft Litigation, 45 F. Supp. 3d 14 (D.D.C. 2014) ........................................................................ 14

In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014) .................................................... 22, 34, 35

In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 2165432 (D. Minn. May 7, 2015) ...................... 49

In re Target Corp. Customer Data Sec. Breach Litig. (“Target (FI Track)”),

64 F. Supp. 3d 1304 (D. Minn. 2014) ........................................ 15, 22, 23, 25, 45

In re Target Corp. Customer Data Sec. Breach Litig. (“Target (Consumer Track)”),

66 F. Supp. 3d 1154 (D. Minn. 2014) ................................................ 9, 20, 21, 34 In re TJX Cos. Retail Sec. Breach Litig.,

564 F.3d 489 (1st Cir. 2009) ........................................................................ 15, 44

In re Zappos.com, Inc., No. 3:12-cv-00325, 2013 WL 4830497 (D. Nev. Sept. 9, 2013) ....................... 23

In re Zappos.com, Inc., No. 3:12-cv-00325, 2015 WL 3466943 (D. Nev. June 1, 2015) ........................ 13


viii

Intercoastal Realty, Inc. v. Tracy, 706 F. Supp. 2d 1325 (S.D. Fla. 2010) ............................................................... 43

James D. Hinson Elec. Contracting Co. v. BellSouth Tel., Inc., No. 3:07-cv-598-J-32MCR, 2008 WL 360803 (M.D. Fla. Feb. 8, 2008) ................................................................................................................... 43

Jasty v. Wright Med. Tech., Inc., 528 F.3d 28 (1st Cir. 2008) ................................................................................. 44

Kelly v. Palmer, Reifler, & Assocs., P.A., 681 F. Supp. 2d 1356 (S.D. Fla. 2010) ............................................................... 43

Kerfoot v. FNF Serving, Inc., No. 1:13-cv-33, 2013 WL 5797662 (M.D. Ga. Oct. 25, 2013) ............................ 8

Kwikset Corp. v. Superior Court, 246 P.3d 877 (Cal. 2011) .................................................................................... 34

Lee v. FTC, 679 F.2d 905 (D.C. Cir. 1980) ............................................................................ 32

Legacy Acad., Inc. v. Mamilove, LLC, 761 S.E.2d 880 (Ga. Ct. App. 2014), aff'd in part and rev'd in part on other grounds, 771 S.E.2d 868 (Ga. 2015) .................................................. 29, 31

Liberty Mut. Fire Ins. Co. v. Cagle's, Inc., No. 1:10-cv-2158, 2010 WL 5288673(N.D. Ga. Dec. 16, .................... 16, 17, 18

Life is Good, Inc., No. C-4218, 2008 WL 1839971 (F.T.C. April 16, 2008) ................................... 38

Lombard's, Inc. v. Prince Mfg., Inc., 753 F.2d 974 (11th Cir.1985), cert. denied, 474 U.S. 1082 (1986) ..................... 7

Lone Star Nat'l Bank v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013) ................................................................. 20, 21, 22

Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) ............................................................................................ 10


ix

McLain v. Mariner Health Care, 631 S.E.2d 435 (Ga. Ct. App. 2006) ................................................................... 25

MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118 (2007) ............................................................................................ 35

Miller v. Bank of Am., No. CGC-99-301917, 2004 WL 2403580 (Cal. Super. Ct. Oct. 13, 2004) ................................................................................................................... 40

Monroe v. Bd. of Regents, 602 S.E.2d 219 (Ga. Ct. App. 2004) ................................................................... 25

Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010) ............................................................................................ 12

Pa. State Emps. Credit Union v. Fifth Third Bank, No. 1:CV-04-1554, 2006 WL 1724574 (M.D. Pa. Jun. 16, 2006) ..................... 49

Perola v. Citibank (S.D.) N.A, 894 F. Supp. 2d 188 (D. Conn. 2012) ................................................................. 42

Powell v. McCormack, 395 U.S. 486 (1969) ............................................................................................ 34

Pulte Home Corp. v. Simerly, 746 S.E.2d 173 (Ga. Ct. App. 2006) ............................................................ 25, 28

Quality Foods de Centro Am., S.A. v. Latin Am. Agric. Dev. Corp., S.A., 711 F.2d 989 (11th Cir. 1983) .............................................................................. 7

Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) ................................................................................. 13

Remax The Mountain Co. v. Tabsum, Inc., 634 S.E.2d 77 (Ga. Ct. App. 2006) ..................................................................... 19

Remijas v. Neiman Marcus Group, LLC, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015) ............ 8, 9, 11, 12, 14


x

Resnick v. Avmed, Inc., 693 F.3d 1317 (11th Cir. 2012) ..................................................... 8, 9, 11, 15, 23

Rosen v. Protective Life Ins. Co., No. 1:09-cv-03620, 2010 WL 2014657 (N.D. Ga. May 20, 2010) .................... 16

Rowe v. Akin & Flanders, Inc., 525 S.E.2d 123 (Ga. Ct. App. 1999) ................................................................... 25

Saladin v. City of Milledgeville, 812 F.2d 687 (11th Cir. 1987) ............................................................................ 11

Salois v. Mut. of Omaha Ins. Co., 581 P.2d 1349 (Wash. 1978) .............................................................................. 46

Savannah, Fla. & W. RY. Co. v. Pritchard, 1 S.E. 261 (Ga. 1887) ......................................................................................... 13

Brock v. Avery Co., 110 S.E.2d 112 (Ga. Ct. App. 1959) ................................................................... 24

Sheppard v. Yara Engineering Corp., 281 S.E.2d 586 (Ga. 1981) ................................................................................. 17

St. Mary's Hosp. v. Radiology Professional Corp., 421 S.E.2d 731 (Ga. Ct. App. 1992) ................................................................... 30

State v. O'Neill Investigations, Inc., 609 P.2d 520 (Alaska 1980) ............................................................................... 40

Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871 (N.D. Ill. 2014) .................................................................... 13

Strickland v. Alexander, 772 F.3d 876 (11th Cir. 2014) ............................................................................ 35

Svenson v. Google Inc., No. 13-cv-04080, 2015 WL 1503429 (N.D. Cal. Apr. 1, 2015) ........................ 14

Teague v. Keith, 108 S.E.2d 489 (Ga. 1959) ................................................................................. 31


xi

TechBios, Inc. v. Champagne, 688 S.E.2d 378 (Ga. Ct. App. 2009) ................................................................... 25

Tidikis v. Network for Med. Commc'ns & Research, LLC, 619 S.E.2d 481 (Ga. Ct. App. 2005) ................................................................... 25

Tiller v. State Farm Mut. Auto. Ins. Co., No. 1:12-CV-3432-TWT, 2013 WL 451309 (N.D. Ga. Feb. 5, 2013), aff'd, 549 F. App'x 849 (11th Cir. 2013) ............................................................ 35

TJX Cos., No. C-4227, 2008 WL 3150421 (F.T.C. July 29, 2008) .................................... 38

Unger v. Bryant Equip. Sales & Servs., Inc., 335 S.E.2d 109 (Ga. 1985) ................................................................................. 20

United States Ass'n of Credit Bureaus v. FTC, 299 F.2d 220 (7th Cir. 1962) .............................................................................. 32

United States Retail Credit Ass'n. Inc. v. FTC, 300 F.2d 212 (4th Cir. 1962) .............................................................................. 32

United States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S. 669 (1973) ............................................................................................ 10

Via Mat Int'l S. Am. Ltd. v. United States, 446 F.3d 1258 (11th Cir. 2006) ............................................................................ 8

Waldrip v. Voyles, 411 S.E.2d 765 (Ga. 1991) .......................................................................... 17, 18

Wells Fargo Bank v. Jenkins, 744 S.E.2d 686 (Ga. 2013) .......................................................................... 29, 31

West v. Mache of Cochran, Inc., 370 S.E.2d 169 (Ga. Ct. App. 1988) ................................................................... 31

Willingham v. Global Payments, Inc., No. 1:12-CV-01157-RWS, 2013 WL 440702

(N.D. Ga. Feb. 5, 2013) ......................................................................... 20, 21, 26


xii

Windemere, Ltd. v. Bettes, 438 S.E.2d 406 (Ga. Ct. App. 1993) ..................................................................... 8

Worix v. MedAssets, Inc., 869 F. Supp. 2d 893 (N.D. Ill. 2012) .................................................................. 26

Zhang v. Superior Court, 304 P.3d 163 (Cal. 2013) .................................................................................... 41

Statutes

15 U.S.C. § 45(a)(1) ................................................................................................. 24

28 U.S.C. § 2201 et seq., .......................................................................................... 33

28 U.S.C. § 2202 ...................................................................................................... 34

Alaska Stat. Ann. § 45.50.471 ................................................................................. 39

Alaska Stat. Ann. § 45.50.471(b) ............................................................................. 39

Alaska Stat. Ann. § 45.50.471(b)(55) ...................................................................... 39

Alaska Stat. Ann. § 45.50.545 ................................................................................. 39

Cal. Bus. & Prof. Code § 17200 ....................................................................... 40, 41

Cal. Bus. & Prof. Code § 17201 .............................................................................. 41

Cal. Bus. & Prof. Code § 17204 .............................................................................. 41

Cal. Bus. & Prof. Code § 22578 .............................................................................. 40

Cal. Civ. Code § 1798.1 ........................................................................................... 40

Cal. Civ. Code § 1798.81.5(a) ................................................................................. 40

Cal. Civ. Code § 1798.81.5(b) ................................................................................. 41

Conn. Gen Stat. § 42-110g ....................................................................................... 34

Fla. Stat. Ann. § 502.202(2) ..................................................................................... 43


xiii

Fla. Stat. Ann. § 501.211(1) ..................................................................................... 34

815 ILCS 505/10a(c) ................................................................................................ 34

Mass. Gen. Laws Ann. ch. 93A § 11 ....................................................................... 34

Minn. Stat. § 325E.64 .............................................................................................. 13

Minn. Stat. § 325E.64, subd. 2 ................................................................................. 45

O.C.G.A. § 13-6-11 .................................................................................................... 8

O.C.G.A. § 23-2-58 .................................................................................................. 25

O.C.G.A. § 51-1-6 .................................................................................................... 28

O.C.G.A. § 51-1-8 .................................................................................................... 25

O.C.G.A. § 51-1-11(a) ...................................................................................... 16, 19

O.C.G.A. § 51-12-11 ................................................................................................ 13

Wash. Rev. Code § 19.255.020 ......................................................................... 13, 45

Wash. Rev. Code § 19.255.020(3)(a) ...................................................................... 46

Wash. Rev. Code § 19.86.020 .................................................................................. 46

Wash. Rev. Code § 19.86.090 .................................................................................. 34

Other Authorities

7AA CHARLES A. WRIGHT, ET AL., FEDERAL PRACTICE AND PROCEDURE § 1775 (3d ed. 2008) ........................................................................................... 34 WILLIAM L. PROSSER & W. PAGE KEETON, LAW OF TORTS § 53 at 356, 358 (5th ed. 1984) ........................................................................... 21

RESTATEMENT (SECOND) OF TORTS § 282 ................................................................ 21

RESTATEMENT (SECOND) OF TORTS § 919 ................................................................ 13


1

INTRODUCTION

Judge Murphy recently refused to dismiss a negligence claim by students

whose personal data was stolen after the door to the room containing their records

was left unlocked. Bishop v. Shorter Univ., Inc., No. 4:15-CV-00033-HLM (N.D.

Ga. June 4, 2015). Home Depot’s misconduct was far worse. For years, Home

Depot left the virtual doors to its computer systems wide open despite repeated

warnings about what would happen if security was not improved. The results were

devastating and entirely foreseeable: one of the largest retail data breaches in

history and use of the stolen information to make millions of fraudulent

transactions on credit and debit cards belonging to Home Depot customers.

The brunt of the financial loss has been borne by Plaintiffs – the financial

institutions that issued the cards, paid for the fraudulent transactions and were

forced to reissue millions of cards to mitigate the ongoing fraud. Plaintiffs bring

this action to recover their losses from Home Depot on claims of negligence,

negligence per se, and violation of various state statutes and for appropriate

equitable relief. Home Depot moves to dismiss Plaintiffs’ claims. None of the

grounds for the motion have merit. The motion should be denied.

First, Home Depot argues Plaintiffs lack standing, ignoring that Plaintiffs

paid for their customers’ fraud losses – the type of concrete, economic injury that


2

readily confers standing. Instead, Home Depot asserts no standing exists because

“the vast majority” of Plaintiffs’ damages are due to their “voluntary” decision to

reissue cards to prevent “hypothetical future harm.” Setting aside that Home

Depot’s factual allegations cannot be considered on a motion to dismiss, Plaintiffs

allege they had out-of-pocket financial loss from reimbursing their customers for

fraud losses stemming from the breach – the quintessential injury-in-fact – and

reissued cards in the face of substantial risk of actual and impending harm and

under a legal duty to mitigate their damages. These allegations are sufficient.

Second, Home Depot argues Plaintiffs’ negligence and negligence per se

claims are barred by the economic loss rule. While prohibiting recovery in tort for

purely economic losses from a breach of contract, the rule does not apply if a right

of action exists independent of the contract. Plaintiffs do not seek damages

stemming from breach of contract, but breach of an independent tort duty. Thus,

the rule is inapplicable.

Third, Home Depot seeks dismissal of the negligence and negligence per se

claims because it purportedly had no duty to protect Plaintiffs from a “criminal

intrusion.” Yet, Georgia imposes a common law duty of reasonable care to avoid

causing foreseeable injury to others. In the Target data breach litigation, Judge

Magnuson recently construed similar Minnesota law to impose a duty owed to the


3

financial institutions to protect cardholder data. And, as Judge Murphy held in

Bishop, foreseeable intervening criminal activity does not relieve a defendant from

liability. Moreover, Section 5 of the Federal Trade Commission Act imposes a

statutory duty not to engage in unfair practices, which the FTC has repeatedly

determined includes the failure to maintain reasonable data security measures.

Fourth, Plaintiffs have adequately alleged a case or controversy under the

Declaratory Judgment Act, entitlement to equitable relief and an imminent risk of

future harm if Home Depot’s data security problems are not fixed. That Home

Depot contests the accuracy of these allegations is no basis for dismissal.

Fifth, in asserting Plaintiffs have no claim under any state statutes, Home

Depot misreads the complaint and applicable law. Plaintiffs adequately plead

statutory violations in eight states.

Sixth, Home Depot argues that Plaintiffs’ claims are not ripe because

Plaintiffs could “potentially” recover some of their losses through what it terms the

“Card Brand Recovery Process.” That process arises from contracts not before the

Court and thus cannot be considered on a motion to dismiss. Regardless, the

ripeness doctrine does not apply to claims seeking damages and has no bearing

here, particularly since the recovery processes are voluntary, provide only partial

relief, and specifically preserve the right to pursue judicial remedies.


4

FACTUAL BACKGROUND

Home Depot’s then-CEO and current Board Chairman Frank Blake all but

admitted the company’s negligence caused the breach when in November, 2014 he

stated “[i]f we rewind the tape, our security systems could have been better. Data

security just wasn’t high enough in our mission statement.” He also conceded the

company’s security systems were “desperately out-of-date.” Compl. ¶¶ 158-59.

For years Home Depot de-emphasized data security, creating a culture

characterized by neglect, incompetence and an overarching desire to minimize

costs. Id. ¶ 2. Employees and outside consultants repeatedly warned about

problems and recommended improvements, but the warnings went unheeded and

the recommendations ignored. Id. ¶ 160. Senior management discouraged IT staff

from making changes that would cost money and shelved important remedial

efforts, including a project to encrypt data on the point-of-sale terminals penetrated

by the hackers. Id. ¶¶ 98-101, 103, 110-14, 116. As a result, competent IT security

staff left the company in droves, and at least one employee warned friends to use

cash, rather than credit cards, at Home Depot stores. Id. ¶¶ 117-20.

The specific security problems that made Home Depot a sitting target for

hackers included the failure to: update security software; maintain an adequate

firewall; have controls to keep unauthorized users from navigating its network


5

without detection; restrict access to cardholder data to those who had a need-to-

know; use coded numbers to disguise point-of-sale terminals in self-checkout

lanes; have up-to-date antivirus software; encrypt cardholder data at the point-of-

sale; adequately monitor its network for suspicious activity; and properly scan its

in-store computer systems for vulnerabilities. Id. ¶¶ 95-96.

While the danger invited by Home Depot’s failure to fix these security

problems was longstanding, red flags warning of an imminent problem were

repeatedly raised in the ten months before the 2014 breach occurred, including:

x July 2013: Home Depot discovered data-stealing malware on point-of-sale terminals at a Texas store, signaling hackers were testing its systems.

x August 2013: Visa warned Home Depot of an increase in retail data breaches involving the type of point-of-sale terminals Home Depot used.

x October 2013: A consultant warned Home Depot its “NTP” firewall had been shut off and needed to be turned on.

x December 2013: Home Depot discovered that point-of-sale terminals at a Maryland store had been hacked with malware the NTP firewall was specifically designed to block.

x January 2014: An outside consultant told Home Depot its network did not comply with industry standards and was vulnerable to attack.

x January 2014: The FBI warned Home Depot of the increasing risk to customer data posed by malware on point-of-sale systems.

x February 2014: A consultant again told Home Depot to turn on the NTP firewall.

Id. ¶¶ 126-29, 134-36. Yet, Home Depot still failed to fix its ongoing problems.


6

Home Depot also received an urgent wake-up call in December, 2013 when

a huge data breach occurred at Target, the nation’s second largest retailer,

dramatically demonstrating that lax IT security could be exploited on a massive

scale. Id. ¶ 130. In response, Home Depot formed a task force that recommended

the same remedial actions its IT staff had been recommending for years. Despite

the obvious risk of delay, Home Depot did not act immediately, even failing to

make easy fixes such as upgrading its antivirus software, activating all of its

security features and turning on the NTP firewall. As a result, when the hackers

attacked, Home Depot’s systems remained vulnerable. Id. ¶¶ 131, 136-37.

Beginning in approximately April 2014, hackers accessed Home Depot’s

computer system, exploiting the very vulnerabilities it repeatedly had been warned

about. Id. ¶¶ 138-40. The hackers placed malware on Home Depot’s self-checkout

terminals that remained undetected for roughly five months. Id. ¶ 141. In early

September 2014, payment card data stolen from Home Depot was sold on the

internet black market to thieves who used the data to make millions of fraudulent

transactions. Id. ¶¶ 145-47, 149-50, 152.

To mitigate the quickly mounting losses, financial institutions reissued cards

compromised by the breach and took other action, such as notifying customers,

increasing fraud monitoring, and closing accounts. Moreover, financial institutions,


7

which bear almost all liability for credit and debit card fraud, reimbursed

customers for fraudulent transactions on their cards. Id. ¶¶ 186-87.

ARGUMENT AND CITATION OF AUTHORITY

A complaint should be dismissed only where the facts alleged fail to state a

“plausible” claim for relief. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Factual

allegations must be taken as true and construed in the light most favorable to the

plaintiff. See Quality Foods de Centro Am., S.A. v. Latin Am. Agric. Dev. Corp.,

S.A., 711 F.2d 989, 994-95 (11th Cir. 1983). Generally, notice pleading is all that is

required. See Lombard’s, Inc. v. Prince Mfg., Inc., 753 F.2d 974, 975 (11th

Cir.1985), cert. denied, 474 U.S. 1082 (1986). The complaint need only provide

fair notice of the claim and the grounds upon which it rests. See Erickson v.

Pardus, 551 U.S. 89, 93 (2007) (citing Bell Atlantic Corp. v. Twombly, 550 U.S.

544, 555 (2007). Plaintiffs’ complaint meets these pleading standards.

I. ARTICLE III STANDING EXISTS

A. Plaintiffs Suffered Concrete Injuries, Traceable to Home Depot, That Can Be Redressed by a Judgment in Their Favor

Under long-settled Article III standing jurisprudence, a plaintiff must plead

an injury that is “‘concrete, particularized, and actual or imminent; fairly traceable

to the challenged action; and redressable by a favorable ruling.’” Clapper v.

Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013) (citation omitted). Plaintiffs


8

adequately plead each of these three elements, demonstrating they have each

suffered an injury-in-fact that is fairly traceable to Home Depot’s conduct and can

be remedied by a judgment in their favor. As a result, Article III standing exists.1

Plaintiffs allege concrete, particularized and actual injury. First and

foremost, each Plaintiff reimbursed its customers for fraudulent transactions.

Compl. ¶ 4, 11, 187-89. Plaintiffs also incurred substantial costs reissuing cards to

prevent additional fraud, notifying customers their cards had been compromised,

investigating fraud claims and losing income from reduced card usage. Id. ¶ 187.

These injuries suffice for standing purposes. See, e.g., Via Mat Int’l S. Am. Ltd. v.

United States, 446 F.3d 1258, 1263 (11th Cir. 2006) (economic harm creates

standing); Resnick v. Avmed, Inc., 693 F.3d 1317, 1323 (11th Cir. 2012) (monetary

damages incurred as a result of identity theft constitute injury-in-fact); Remijas v.

Neiman Marcus Group, LLC, No. 14-3122, 2015 WL 4394814, at *5 (7th Cir. July

20, 2015) (actions needed to mitigate future harm from identity theft confer

standing); In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1217 (N.D.

1 Home Depot is incorrect that Plaintiffs’ O.C.G.A. § 13-6-11 claim must be dismissed. HD Br. at 8 n. 3. Fees may be recovered where, as pled here, the defendant was grossly negligent and acted in utter disregard of a duty, despite the existence of a bona fide controversy as to liability. Windemere, Ltd. v. Bettes, 438 S.E.2d 406, 409 (Ga. Ct. App. 1993). Dismissal thus would be error. See Kerfoot v. FNF Serving, Inc., No. 1:13-cv-33, 2013 WL 5797662, at *7 (M.D. Ga. Oct. 25, 2013) (O.C.G.A. § 13-6-11 claim cannot be resolved at the dismissal stage).


9

Ca. 2014) (costs to mitigate effects of a data breach establish standing).

Plaintiffs’ injuries are fairly traceable to Home Depot’s conduct. The

complaint specifies how Home Depot’s negligence proximately caused the breach

and led directly to Plaintiffs’ losses. Compl. ¶¶ 2, 4-5, 158-65, 186-87, 214. These

allegations are enough. See, e.g., Avmed, 693 F.3d at 1324 (allegations plaintiffs

were victims of identity theft after defendant’s unencrypted laptops were stolen

sufficed to “fairly trace” their injury to defendant’s conduct); Adobe, 66 F. Supp.

3d at 1217; In re Target Corp. Customer Data Sec. Breach Litig. (“Target

(Consumer Track)”), 66 F. Supp. 3d 1154, 1159 (D. Minn. 2014); Neiman Marcus,

2015 WL 4394814, at *7.

Finally, Plaintiffs’ injuries are redressable by a judgment or settlement

providing money damages and appropriate equitable relief. See, e.g., Adobe, 66 F.

Supp. 3d at 1217; Avmed, 693 F.3d at 1324; Target (Consumer Track), 66 F. Supp.

3d at 1159; Neiman Marcus, 2015 WL 4394814, at *8.

B. Home Depot’s Standing Arguments are Meritless

1. Each Plaintiff Has Sufficiently Alleged a Concrete Injury

Home Depot argues that Plaintiffs have not adequately alleged concrete

injury. Noting that paragraphs 12-79 of the complaint list only the name and

headquarters of each Plaintiff, Home Depot concludes no Plaintiff alleges an


10

injury. Home Depot ignores the express allegation in paragraph 11 that each

Plaintiff issued compromised cards and suffered injuries including reissuance costs

and fraud losses. See ¶¶ 4, 11, 187, 214, 221, 266. Nothing requires that the same

language be repeated for each Plaintiff. See generally Adobe, 66 F. Supp. 3d at

1226-27 (“the pleading standard is not so rigid as to insist that each count repeat

every factual allegation”). Further, Home Depot discounts other paragraphs

because they “vaguely” allege “the same general categories of injuries.” HD Br. 9.

Yet, there is no rule requiring each Plaintiff to suffer a different injury, United

States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S.

669, 687 (1973) (“standing is not to be denied simply because many people suffer

the same injury”), and more detailed allegations are not required, Lujan v.

Defenders of Wildlife, 504 U.S. 555, 561 (1992) (“general factual allegations of

injury” are sufficient to show standing at the pleading stage).

Through a subtle sleight of hand, Home Depot avoids addressing all of

Plaintiffs’ injuries and specifically ignores the costs of reimbursing fraud losses.

Asserting mitigation costs are the “vast majority” of Plaintiffs’ damages (an

assertion which is of news to Plaintiffs), Home Depot focuses almost its entire

analysis on whether mitigation costs confer standing. The failure to deal with

Plaintiffs’ other injuries is both telling and fatal. Plaintiffs need not show that all of


11

their injuries satisfy Article III so long as at least one injury meets the standing

requirement. See, e.g., Saladin v. City of Milledgeville, 812 F.2d 687, 689 n.3 (11th

Cir. 1987) (declining to consider alternative theory of standing after finding

another theory of standing was satisfied); Neiman Marcus, 2015 WL 4394814 at

*1 (standing can be shown if “at least some” of the injuries satisfy Article III).

Plaintiffs’ costs of reimbursing fraud losses were not incurred to mitigate future

harm but from a legal duty to redress fraudulent acts that already had occurred. As

a result, there is no question Plaintiffs have standing, particularly in light of the

Eleventh Circuit’s holding in Avmed that monetary damages stemming from

“actual identity theft” are sufficient. 693 F.3d at 1323. Home Depot fails to cite or

even attempt to distinguish Avmed.

2. Mitigation Costs Incurred by Plaintiffs Confer Standing

Even if Plaintiffs had not reimbursed fraud losses, Home Depot’s standing

argument, relying on Clapper, does not warrant dismissal. Clapper does not

represent a dramatic reworking of standing jurisprudence. See, e.g., Adobe, 66 F.3d

at 1213 (“Clapper did not change the law governing Article III standing.”);

Neiman Marcus, 2015 WL 4394814 at *5 (“it is important not to overread

Clapper”). Clapper merely confirms that where standing is based on a “threatened

injury,” that injury “must be certainly impending to constitute injury in fact” and


12

“‘[a]llegations of possible future injury’ are not sufficient.” 133 S. Ct. at 1147

(citations omitted).

Unlike Clapper, which turned on a “highly attenuated chain of possibilities”

and concern the plaintiffs had tried to manufacture standing, 133 S. Ct. 1147-48,

Plaintiffs here did not incur mitigation expenses to establish standing or to address

a hypothetical risk of future harm. Rather, when Plaintiffs acted, millions of cards

already had been compromised, sold to thieves and were being used to commit

fraud on a massive and mounting scale. Immediate reissuance was needed to stop

the bleeding and avoid additional harm that was “certainly impending.” Plaintiffs’

mitigation costs thus confer standing under Clapper. See, e.g., Neiman Marcus,

2015 WL 4394814 at *3-5; Adobe, 66 F. Supp. 3d at 1216-17.

In fact, Clapper supports Plaintiffs’ position by recognizing that standing

can be “based on a ‘substantial risk’ that [future] harm will occur, which may

prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” 133 S.

Ct. at 1150 n.5 (citing Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 153-

55 (2010)). Faced with substantial risk of additional fraud, Plaintiffs’ decisions to

reissue cards were reasonable. As the First Circuit recognized in a data breach case

involving information belonging to more than 4 million customers:

That many banks or issuers immediately issued new cards is evidence of the reasonableness of replacement of cards as mitigation. Those


13

banks thought the cards would be subject to unauthorized use, and cancelled those cards to mitigate their own losses in what was a commercially reasonable judgment.

Anderson v. Hannaford Bros. Co., 659 F.3d 151, 164 (1st Cir. 2011).

Plaintiffs had a legal duty to mitigate damages, see O.C.G.A. § 51-12-11,

and are entitled to recover the expenses they incurred in doing so. See, e.g.,

Hannaford, 659 F.3d at 164; RESTATEMENT (SECOND) OF TORTS § 919 (“One

whose legally protected interests have been endangered by the tortious conduct of

another is entitled to recover for expenditures reasonably made or harm suffered in

a reasonable effort to avert the harm threatened.”); Savannah, Fla. & W. RY. Co. v.

Pritchard, 1 S.E. 261, 264 (Ga. 1887). Moreover, the Washington and Minnesota

statutes pled here explicitly authorize recovery of mitigation costs. See Wash. Rev.

Code § 19.255.020; Minn. Stat. § 325E.64. Plaintiffs have standing to recover

mitigation expenses that they are legally authorized to recover.

The other cases Home Depot cites (HD Br. 11-12) – all of which involve

consumer rather than financial institution plaintiffs – are inapposite.2 Unlike here,

2 See, e.g., Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871, 881 n.18 (N.D. Ill. 2014) (plaintiff “concede[d] that she has not sought or received any notice . . . that her PII was compromised by the breach”); Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011) (“no evidence suggests that the data has been—or will ever be—misused”); In re Zappos.com, Inc., No. 3:12-cv-00325, 2015 WL 3466943, at *7-9 (D. Nev. June 1, 2015) (plaintiffs did not show actual financial damages); Green v. Ebay Inc., No. 14-1688, 2015 WL 2066531, at *4-5 (E.D. La.


14

none involved actual injuries, unauthorized charges, or misuse of stolen data. See

Adobe, 66 F. Supp. 3d at 1215-16 (distinguishing Galaria v. Nationwide Mutual

Insurance Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014) and In re Science

Applications International Corp (SAIC) Backup Tape Data Theft Litigation, 45 F.

Supp. 3d 14 (D.D.C. 2014) on the ground neither involved stolen data that had

already been misused or surfaced on websites). Moreover, one was reversed after

Home Depot’s brief was filed. See Neiman Marcus, 2015 WL 4394814, at *8.

3. Lost Card Value Constitutes an Injury-in-Fact

Home Depot also argues Plaintiffs were not injured when the cards they

issued were rendered worthless because Plaintiffs fail to explain how the cards

“could ever have value.” Such allegations suffice for standing. See Svenson v.

Google Inc., No. 13-cv-04080, 2015 WL 1503429, at *5 (N.D. Cal. Apr. 1, 2015)

(allegation the value of plaintiffs’ personal information was diminished was

sufficient for pleading purposes); In re Facebook Privacy Litig., 572 Fed. App’x

494 (9th Cir. 2014). Regardless, the cards have value to Plaintiffs, as they represent

an income stream that may be diminished if a compromised card is never again May 4, 2015) (plaintiff’s information was compromised but not yet misused and no financial information was stolen during the breach); Giordano v. Wachovia Sec., LLC, 2006 WL 2177036, at *5 (D.N.J. July 31, 2006) (plaintiff did not allege “even that her financial information was stolen or ended up in the possession of someone who might potentially misuse it”).


15

used. See In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 498 (1st Cir.

2009) (card data “can have value and the value can be lost”). Moreover, the cards

are valued between $50 and $100 on the black market.3 Compl. ¶¶ 145-47.

II. PLAINTIFFS ADEQUATELY PLEAD NEGLIGENCE CLAIMS

Plaintiffs allege Home Depot violated its common law and statutory duties

by failing to use reasonable measures to protect cardholder data and to provide

timely notice of the breach. The complaint details Home Depot’s negligent acts

and omissions and alleges that its negligence proximately caused Plaintiffs’

injuries. Compl. ¶¶ 205-15. These allegations are enough to survive dismissal. See,

e.g., Avmed, 693 F.3d at 1325-28 (plaintiffs plausibly pled negligence claim arising

from data breach); Bishop, No. 4:15-CV-00033-HLM, at 21-30; In re Target Corp.

Customer Data Sec. Breach Litig. (“Target (FI Track)”), 64 F. Supp. 3d 1304,

1309-10 (D. Minn. 2014) (denying motion to dismiss negligence and negligence

per se claims). While Home Depot argues the claims are barred by the economic

loss rule and it owed no duty to Plaintiffs, its arguments lack merit.

A. The Economic Loss Rule Does Not Bar the Negligence Claims

“The economic loss rule provides that a plaintiff may not recover in tort for

3 Home Depot’s reliance on Anderson v. City of Alpharetta, 770 F.2d 1575 (11th Cir. 1985) is misplaced. The case upheld dismissal of the NAACP on the eve of trial in a housing discrimination case because it never alleged a concrete injury or even identified a single victim. Id. at 1583.


16

purely economic damages arising from a breach of contract.” Hanover Ins. Co. v.

Hermosa Constr. Group, LLC, 57 F. Supp. 3d 1389, 1395 (N.D. Ga. 2014). On its

face, the rule is inapplicable here because Plaintiffs are not parties to any contracts

with Home Depot. While Home Depot asserts it is a party to a “chain of contracts”

that includes Plaintiffs, no such contracts are before the Court, and it would be

inappropriate to consider them at this stage. See Banknorth, N.A. v. BJ’s Wholesale

Club, Inc., 394 F. Supp. 2d 283, 287 (D. Me. 2005). Regardless of whether

Plaintiffs and Home Depot are contractually related, the economic loss rule does

not apply because of two exceptions.

First, “where an independent duty exists under the law, the economic loss

rule does not bar a tort claim because the claim is based on a recognized

independent duty of care and thus does not fall within the scope of the rule.”

Liberty Mut. Fire Ins. Co. v. Cagle’s, Inc., No. 1:10-cv-2158, 2010 WL 5288673,

at *3 (N.D. Ga. Dec. 16, 2010) (quotation omitted); see also Hanover Ins. Co., 57

F. Supp. 3d at 1396; Rosen v. Protective Life Ins. Co., 1:09-cv-03620, 2010 WL

2014657, at *9 (N.D. Ga. May 20, 2010); O.C.G.A. §51-1-11(a) (“if [a] tort results

from a violation of a duty which is itself the consequence of a contract, the right of

action is confined to the parties and those in privity to that contract, except in cases

where the party would have a right of action for the injury done independently of


17

the contract”).

The Georgia Supreme Court described the basis for this legal principle in

Sheppard v. Yara Engineering Corp., 281 S.E.2d 586, 587 (Ga. 1981):

It is axiomatic that a single act or course of conduct may constitute not only a breach of contract but an independent tort as well, if in addition to violating a contract obligation it also violates a duty owed to plaintiff independent of contract to avoid harming him. . . .Thus, to constitute a tort the duty must arise independent of the contract.

(internal quotation marks and citation omitted). The independent duty exception

applies when the plaintiff identifies “a statutory or common law duty that would

have existed absent the underlying contract.” Hanover Ins. Co., 57 F. Supp. 3d at

1396 (citing Liberty Mut., 2010 WL 5288673, at *3); see also Waldrip v. Voyles,

411 S.E.2d 765, 767 (Ga. 1991) (independent duty may also arise from “relations

created by contract, express or implied”). Plaintiffs identify numerous independent

duties in the following section of this brief, triggering this exception.

Second, Georgia recognizes an “accident” exception to the economic loss

rule based upon the “general duty under tort law, independent of any contract, to

avoid causing a sudden and calamitous event which . . . poses an unreasonable risk

of injury to other persons or property.” Argonaut Midwest Ins. Co. v. McNeilus

Truck & Mfg., Inc., 1:11-cv-3495, 2013 WL 489141, at *4 (N.D. Ga. Feb. 8, 2013)

(quotations omitted). The accident exception applies here because a data breach


18

case presents a real danger of harm to persons or property and is a sudden and

calamitous event. See Cumis Ins. Soc’y, Inc. v. Merrick Bank Corp., No. CIV 07-

374, 2008 WL 4277877, at *7-8 (D. Ariz. Sept. 18, 2008) (declined to apply the

rule because a “data security breach is comparable to a tortious ‘accident’ and the

damages are of a type that caused economic harm to persons or entities”).

Home Depot fundamentally misreads Georgia’s economic loss rule.

According to Home Depot, “there is no recovery in tort for economic losses unless

they result from injury to person or property.” HD Br. 14. Because Plaintiffs have

not alleged personal injury or property damage, Home Depot reasons, the

economic loss rule applies. This argument is inconsistent with numerous cases

declining to apply the rule where plaintiffs sought economic losses other than

physical injury. See, e.g., Liberty Mut., 2010 WL 5288673, at *3 (claim relating to

insurance premiums was not barred where the claim arose out of an independent

duty of good faith); Hanover Ins. Co., 57 F. Supp. 3d at 1396 (refusing to apply the

rule where plaintiff sought damages from mishandling a surety claim); Waldrip,

411 S.E.2d at 593-94 (negligence claim for economic losses resulting from

misallocation of a debtor’s payments not barred).

Further, Home Depot’s position is unsupported by the three cases it cites,

none of which hold economic losses cannot be recovered in a tort action. General


19

Electric Co. v. Lowe’s Home Centers, Inc., did not apply the rule because the

plaintiff sought to recover lost profits, but because the plaintiff sought to recover

lost profits based on damage to someone else’s property. 608 S.E.2d 636, 637-38

(Ga. 2005). Addressing a question from the Eleventh Circuit – i.e., “whether

Georgia’s economic loss rule allows a plaintiff to recover in tort lost profits that

would have only been realized by using its damaged property and other damaged

property that it did not own” – the court held that “a plaintiff may only recover lost

profits associated with damage to its own property.” Id. at 637 (second and third

emphasis added). Similarly, Remax The Mountain Co. v. Tabsum, Inc., simply held

in reliance on General Electric that “a plaintiff cannot recover economic losses

associated with injury to the person or damage to the property of another.” 634

S.E.2d 77, 79 (Ga. Ct. App. 2006) (emphasis added). City of Atlanta v. Benator

applied the economic loss rule in a contract case and the court declined to find an

independent duty based on the “the particular facts and circumstances” of the

case.4 714 S.E.2d 109, 117 (Ga. Ct. App. 2011).

4 Traditionally, Georgia courts have applied the rule only in defective product cases. See Benator, 714 S.E.2d at 116. After General Electric, a few courts have applied the rule in other cases, id., but the case law is neither well developed nor particularly well-reasoned. For example, Benator suggests the rule can provide guidance regarding the existence of an independent duty. Id. But, under O.C.G.A. §51-1-11(a), the existence of an independent duty precludes application of the rule. To conflate the concepts of duty and application of the rule is both circular and


20

Home Depot also cites several cases from other jurisdictions invoking the

rule to bar negligence claims in data breach cases. Other cases have reached the

opposite result. See Lone Star Nat’l Bank v. Heartland Payment Sys., Inc., 729

F.3d 421, 426 (5th Cir. 2013); Banknorth, N.A., 394 F. Supp. 2d at 286; Target

(Consumer Track), 66 F. Supp. 3d at 1171-76. These cases all turn on the scope of

the applicable state’s law and thus offer limited guidance here except for the

Target decision, which construed Georgia’s economic loss rule and refused to

apply it to negligence claims in a data breach case.5 Id. at 1173.

The only Georgia data breach case Home Depot cites is Willingham v.

Global Payments, Inc., No. 1:12-CV-01157-RWS, 2013 WL 440702, at *18 (N.D.

Ga. Feb. 5, 2013). The unpersuasive decision is a magistrate judge’s report and

recommendation that was never adopted because the parties settled, contains only a

rudimentary discussion of Georgia’s economic loss rule and involves claims

unhelpful. Cf. Unger v. Bryant Equip. Sales & Servs., Inc., 335 S.E.2d 109 (Ga. 1985) (the issue is not one of “the ‘economic loss’ versus ‘physical damage’ dichotomy that is used in products liability cases,” but “whether the [plaintiff] has asserted a claim in tort which does not arise from the contract, but is independent of it”) (internal quotations omitted). 5 Home Depot concedes that Georgia law applies for purposes of its motion and that this Court has ruled the choice of law analysis is more appropriate at class certification. (HD Br. 14 n.4.) Accordingly, Plaintiffs need not address the law in other states at this time, especially since the consumer plaintiffs have already done so. See Consumer Plaintiffs’ Opposition, Appendix 4.


21

against a processor that had no direct role in the breach. See Target (Consumer

Track), 66 F. Supp. 3d at 1173 (distinguishing Willingham). Moreover, the

decision relies upon two out-of-state cases, one of which was later reversed. See

Heartland Payment Systems, Inc. 729 F.3d 421 (reversing holding that plaintiffs’

claim was barred). Willingham is also inconsistent with Judge Murphy’s refusal to

dismiss a negligence claim based upon the failure to protect personal data, which

implicitly recognized a common law duty. Bishop, No. 4:15-cv-00033, at 21-30.

B. Home Depot Owed a Legal Duty to Plaintiffs

The duty element of a negligence claim – the only element that Home Depot

challenges in its motion to dismiss – involves the “question of whether the

defendant is under any obligation for the benefit of the particular plaintiff” and

represents “an expression of the sum total of those considerations of policy which

lead the law to say that the plaintiff is entitled to protection.” WILLIAM L. PROSSER

& W. PAGE KEETON, LAW OF TORTS § 53 at 356, 358 (5th ed. 1984).

Georgia recognizes a “general duty one owes to all the world not to subject

them to an unreasonable risk of harm. . . . ‘[N]egligence is conduct which falls

below the standard established by law for the protection of others against

unreasonable risk of harm.’” Bradley Ctr., Inc. v. Wessner, 296 S.E.2d 693, 695

(Ga. 1982) (citing RESTATEMENT (SECOND) OF TORTS § 282); see, e.g., Corbitt v.


22

Walgreen Co., No. 7:14-CV-17 (MTT), 2015 WL 1726011, at *2 (M.D. Ga. Apr.

15, 2015). The duty requires the exercise of ordinary care to avoid causing

“foreseeable” and “unreasonable” harm. Hodges v. Putzel Elec. Contractors, 580

S.E.2d 243, 247 (Ga. Ct. App. 2003). To be foreseeable, it is only necessary to

anticipate that some injury will result, not all the particular consequences that

might ensue. Corbitt, 2015 WL 1726011, at *2 (citation omitted).

Consistent with these principles, the complaint alleges Home Depot had a

general duty to prevent foreseeable risk of harm to others and Plaintiffs’ injuries

were foreseeable if cardholder data was not adequately protected. There can be no

question that Plaintiffs’ injuries were foreseeable. See, e.g., Heartland, 729 F.3d at

426; Target (FI Track), 64 F. Supp. 3d at 1310. Indeed, Home Depot

acknowledged the risk in its annual reports since 2008. Compl. ¶¶ 205-06.

Accordingly, pursuant to its general duty under Georgia law to avoid subjecting

Plaintiffs to an unreasonable risk of harm, Home Depot had a duty to secure

cardholder data and notify Plaintiffs of the breach in a timely manner.

Courts considering whether there is a duty to protect confidential

information agree that this duty exists – in cases brought by both consumers and

financial institutions. See, e.g., In re Sony Gaming Networks & Customer Data

Sec. Breach Litig., 996 F. Supp. 2d 942, 966 (S.D. Cal. 2014) (“the existence of a


23

legal duty to safeguard a consumer’s confidential information entrusted to a

commercial entity . . . [is] well supported by both common sense and [applicable

state] law”); Avmed, 693 F.3d at 1326-28 (health care provider had duty to secure

customer information); In re Zappos.com, Inc., No. 3:12-cv-00325, 2013 WL

4830497, at *3 (D. Nev. Sept. 9, 2013) (finding duty to “protect Plaintiffs’ private

data from electronic theft with sufficient electronic safeguards”); In re Hannaford

Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 115 (D. Me.

2009), aff’d in part, rev’d in part on other grounds, Anderson v. Hannaford Bros.

Co., 659 F.3d 151 (1st Cir. 2011) (“when a merchant is negligent in handling a

customer’s electronic payment data and that negligence causes an unreimbursed

fraudulent charge or debit against a customer’s account, the merchant is liable for

that loss”); Banknorth N.A., 394 F. Supp. 2d. at 286-87 (merchant owed a duty to

issuing bank “to safeguard cardholder information from thieves”); Target (FI

Track), 64 F. Supp. 3d at 1310 (merchant owed a duty to issuing banks to protect

cardholder data based on the general duty to avoid a foreseeable risk of harm).6

6 Home Depot contends, without citing any authority, that Target is an “outlier.” To the contrary, the weight of authority recognizes a duty to protect private information, including the Eleventh Circuit’s decision in Avmed that Home Depot ignores. Most of the cases rejecting claims by consumers and the relatively few claims by financial institutions have been decided on other grounds, specifically standing and the economic loss rule, not the lack of a duty. Further, the trend in the


24

Recognizing Home Depot has a legal duty fulfills the underlying purposes of

negligence law – compensation and deterrence – by placing the risk of financial

loss on the only entity with the ability to prevent that loss. Absent a duty to protect

customers’ data, a merchant such as Home Depot has a strong incentive to cut

corners, take minimum precautions and, as Home Depot’s CEO admitted, not place

data security “high enough on its mission statement” while the financial

institutions that issued the cards, which have little ability to protect themselves, are

forced to bear the costs. On the other hand, if a duty is imposed holding merchants

legally responsible, they will implement adequate data security measures to avoid

having to pay damages to those who are injured.

Other factors also support imposing a duty on Home Depot. For example,

Section 5 of the FTC Act, 15 U.S.C. § 45(a)(1), creates a legal duty to refrain from

engaging in unfair or deceptive acts. According to the FTC, the failure to maintain

adequate security measures is an unfair practice prohibited by the Act. See FTC v.

Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 622 (D.N.J. 2014). Whether an

action for negligence per se can be based on Section 5, the federal mandate to

avoid unfair practices by having adequate data security lends credence to the

existence of a duty in a traditional negligence action. See, e.g., Brock v. Avery Co., law – represented by Target, Adobe, and the Seventh Circuit’s decision last month in Neiman Marcus – has been to expand liability for data breach claims.


25

110 S.E.2d 112, 126 (Ga. Ct. App. 1959) (a statute that is too indefinite to

constitute negligence per se does “furnish a rule of civil conduct”); Pulte Home

Corp. v. Simerly, 746 S.E.2d 173, 179 (Ga. Ct. App. 2006) (citing McLain v.

Mariner Health Care, 631 S.E.2d 435, 437-38 (Ga. Ct. App. 2006) for the

proposition that “violations of federal statutes and regulations support [a] claim of

breach of legal duty in both traditional negligence and negligence per se actions”).

Similarly, imposing a legal duty on Home Depot is consistent with industry

standards, its internal policies regarding data security and the public statements on

its website that it was using “industry standard means” to protect customer

information and that its security measures were “appropriate for the type of

information we collect.”7 Compl. ¶ 207. See Target (FI Track), 64 F. Supp. 3d at

1310 (discounting the burden of imposing a duty on merchants because they have

already “voluntarily assumed” similar duties); Rowe v. Akin & Flanders, Inc., 525

S.E.2d 123, 126 (Ga. Ct. App. 1999) (duty implied by law requiring contractor to

7 Plaintiffs also allege they had a “special relationship” with Home Depot that supports imposing a duty. Such a relationship may arise from particular facts, by law, or the relationship between the parties. See O.C.G.A. §§ 23-2-58 and 51-1-8; Monroe v. Bd. of Regents, 602 S.E.2d 219, 222 (Ga. Ct. App. 2004); TechBios, Inc. v. Champagne, 688 S.E.2d 378, 382 (Ga. Ct. App. 2009). The existence of a special relationship is a fact question and thus cannot be resolved on a motion to dismiss. Tidikis v. Network for Med. Commc’ns & Research, LLC, 619 S.E.2d 481, 484-85 (Ga. Ct. App. 2005).


26

perform its work in accordance with industry standards). These factors buttress the

longstanding common law duty to avoid foreseeable harm that is dispositive here,

demonstrate that imposing a duty is not burdensome, and thus should be

considered in the duty analysis.

None of the cases Home Depot cites compels a different result. Willingham,

which as already noted is an unpersuasive report and recommendation that was

never adopted, did not discuss the general duty under Georgia law to avoid

foreseeable risk of harm and was based largely on two out-of-state cases, one of

which was later reversed. 2013 WL 440702, at *18. Worix v. MedAssets, Inc.,

simply declined to adopt a new legal duty under state law in light of a state

appellate decision reserving the issue for the legislature. 869 F. Supp. 2d 893, 897-

98 (N.D. Ill. 2012). And, Citizens Bank of Pa. v. Reimbursement Techs., Inc.,

involved dissimilar facts – a “rogue employee” who stole patient information –

leading the court to decline to impose a duty because the plaintiff, unlike in this

case, failed to allege how the company’s security systems were inadequate, the

actions of the employee were foreseeable and enhanced data security would have

made any difference.8 No. 12-1169, 2014 WL 2738220, at *2-4 (E.D. Pa. 2014).

8 The other two cases Home Depot cites involved a common law duty to provide notice of a data breach. In re Hannaford held that Maine did not recognize a “stand-alone” claim for failure to provide such notice, but the case is not helpful to


27

C. Plaintiffs Allege that the Criminal Acts Were Foreseeable

Home Depot, citing only Edmunds v. Cowan, argues there is no legal duty to

anticipate criminal acts. However, Cowan states that the principle does not apply if

there were “reasonable grounds to believe that a criminal act would be committed.”

386 S.E. 2d 39, 41 (Ga. Ct. App. 1989) (citation omitted). Plaintiffs, as noted

above, adequately allege that it was reasonably foreseeable Home Depot’s systems

would be hacked. Thus its motion to dismiss on this ground should be denied. See,

e.g., Bishop, No. 4:15-cv-00033-HLM, at 23 (Judge Murphy declined to dismiss

negligence claims because the plaintiffs adequately alleged that “the defendant had

reason to anticipate the criminal act.”).

Relying on premises liability cases, Home Depot contends that a duty to

protect against foreseeable criminal activity only arises if “the defendant has

superior knowledge that the criminal activity might occur.” HD Br. 23. However, a

premises liability case presents a “materially different set of facts” and different

duty. Bishop, at 25-28. Moreover, Home Depot’s assertion that it lacked superior

knowledge is nonsensical. Plaintiffs had no way of knowing that, contrary to its Home Depot. 613 F. Supp. 2d at 124. The court recognized a general negligence claim could be pursued. Id. at 128. Moreover, although the decision was reversed in part, the plaintiff did not appeal the ruling on the failure to provide notice claim. See Anderson, 659 F.3d at 157. The other case – Amburgy v. Express Scripts, Inc., – largely turned on a notification statute that did not provide a private right of action. 671 F. Supp. 2d 1046, 1055 (E.D. Mo. 2009).


28

public assurances, Home Depot’s security systems were, in the words of its CEO,

“desperately out-of-date” and, among other things, that warnings about major

vulnerabilities in its systems were being ignored by senior management and

customer data was not being encrypted at the point-of-sale.

D. Plaintiffs Adequately Plead a Negligence Per Se Claim

Georgia law allows “the adoption of a statute or regulation as a standard of

conduct so that its violation becomes negligence per se.” Pulte Home Corp., 746

S.E.2d at 179; see also, O.C.G.A. § 51-1-6 (“When the law requires a person to

perform an act for the benefit of another or refrain from doing an act which may

injure another, although no cause of action is given in express terms, the injured

party may recover for the breach of such legal duty . . . .”). A plaintiff must show

he or she is within the class of persons the statute was intended to protect and the

statute is intended to protect against the harm suffered. Amick v. BM & KM, Inc.,

275 F. Supp. 2d 1378, 1382 (N.D. Ga. 2003). Plaintiffs allege that Home Depot

violated Section 5 of the FTC Act, they are within the class the statute was

intended to protect, and the statute was meant to protect against the harm that

occurred. As a result, Plaintiffs properly state a claim for negligence per se. Home

Depot’s three arguments to the contrary lack merit.

First, Home Depot asserts a violation of Section 5 can never support


29

negligence per se because there are no decisions so holding. But there are at least

two, both applying Georgia law: Bans Pasta, LLC v. Mirko Franchising, LLC, No.

7:13-cv-00360-JCT, 2014 WL 637762, at *12-13 (W.D. Va. Feb. 12, 2014) (an

FTC rule adopted pursuant to Section 5 set a standard of conduct which supported

a negligence per se claim); and Legacy Acad., Inc. v. Mamilove, LLC, 761 S.E.2d

880, 891-92 (Ga. Ct. App. 2014), aff’d in part and rev’d in part on other grounds,

771 S.E.2d 868 (Ga. 2015) (negligence per se claim allowed under FTC rule

interpreting Section 5).

Second, Home Depot contends Section 5 does not impose a “clear and

concrete duty or standard of conduct” of the type required for negligence per se

because the Act only prohibits an “unfair” practice. However, Plaintiffs’ claim is

not based solely on the terms of Section 5, but also on the FTC’s interpretation

requiring businesses to maintain reasonable data security practices, including such

concrete acts as encrypting data and implementing policies for installing security

updates. Compl. ¶¶ 179-83, 220. Further, Home Depot contends the FTC’s

guidelines do not “carry the force of law.” But, Georgia law does not require that a

governmental directive imposing a duty be expressed in a statute or regulation.

Wells Fargo Bank v. Jenkins, 744 S.E.2d 686, 688 (Ga. 2013) (recognizing that

negligence per se can be based upon a common law principle or any “regulation,


30

directive, or standard” authorized by law) (emphasis added).

Both of Home Depot’s contentions were also rejected in Wyndham, an

enforcement action in which the FTC sued a business for failure to have reasonable

data security practices. The defendant argued that the reasonableness standard was

not sufficiently clear to create a standard of conduct, the FTC’s guidance

documents were too vague to be enforceable and without specific rulemaking no

enforcement action could be taken. 10 F. Supp. 3d at 616. The court rejected each

argument and held the reasonableness of the defendant’s efforts could be measured

by “industry standard practices” referred to in own privacy policy. Id. at 620-21.

Like the defendant in Wyndham, Home Depot has a privacy policy stating it

uses “industry standard means” to protect customer data. Compl. ¶ 168. Home

Depot also adopted its own data security policies and procedures, which it failed to

follow. Id. ¶ 167. These standards and policies provide ample means to measure

whether Home Depot violated the FTC’s standard. St. Mary’s Hosp. v. Radiology

Professional Corp., 421 S.E.2d 731, 736-37 (Ga. Ct. App. 1992), is directly on

point. In that case, the court allowed a negligence per se claim against a hospital

for violating its own bylaws relating to the deprivation of a doctor’s practice

privileges based upon a standard of conduct prohibiting hospitals from acting in an

“unreasonable, arbitrary, capricious, or discriminatory” manner.


31

The FTC’s reasonableness requirement, particularly as further defined in its

guidance documents and multiple enforcement actions, is not so vague as to be

enforceable as a standard of conduct. As the Georgia Supreme Court held:

Where a statute provides a general rule of conduct, although only amounting to a requirement to exercise ordinary care, the violation thereof is negligence as a matter of law, or negligence per se . . . .

Teague v. Keith, 108 S.E.2d 489, 491-92 (Ga. 1959) (emphasis added) (noting that

a negligence per se claim can be based on statutes prohibiting a driver from driving

at a “speed greater than is reasonable” or keeping a vehicle under “immediate

control”); see also, e.g., Holbrook v. Exec. Conference Ctr., Inc., 464 S.E.2d 398,

401-02 (Ga. Ct. App. 1995); West v. Mache of Cochran, Inc., 370 S.E.2d 169, 172-

73 (Ga. Ct. App. 1988).9

Third, Home Depot incorrectly contends Plaintiffs are not consumers and are

outside the class of persons protected by Section 5. The class of persons protected

by Section 5 is not limited to consumers. See Bans Pasta, 2014 WL 637762, at *13

(allegation by an LLC franchisee that it was within the class of persons protected

under Section 5 was sufficient to survive dismissal); Legacy Acad., 761 S.E.2d at

9 Home Depot improperly relies on four Georgia cases to show that Section 5 does not have an ascertainable standard. Wells Fargo involved an “aspirational statement,” not a government directive. 744 S.E.2d at 688. The others, decided by the Court of Appeals, are inconsistent with the Supreme Court’s decision in Teague.


32

892-93 (LLC was entitled to pursue a negligence per se claim based upon Section

5); Wyndham, 10 F. Supp. 3d at 625 (noting the FTC’s position that a violation of

its data security standards “is likely to cause substantial consumer injury . . . to

consumers and businesses”) (emphasis added). The FTC and courts have long

applied Section 5 to practices victimizing businesses.10 Indeed, the requirement

that a practice cause “consumer injury” is an element of the definition of unfair

acts or practices and such injury has historically included harm to businesses. See

FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 245 n.5 (1972) (describing the

consumer injury requirement as “whether [the allegedly unfair act or practice]

causes substantial injury to consumers (or competitors or other businessmen)”)

(emphasis added) (citation omitted).

Plaintiffs are within the broad scope of persons protected by the FTC Act.

Additionally, Plaintiffs bear primary responsibility for reimbursing consumers for

10 See, e.g., FTC v. World Wide Factors, Ltd., 882 F.2d 344, 346-47 (9th Cir. 1989) (affirming preliminary injunction against seller of promotional merchandise to small businesses); Lee v. FTC, 679 F.2d 905, 906 (D.C. Cir. 1980) (upholding order against company providing promotional services to investors); United States Retail Credit Ass’n. Inc. v. FTC, 300 F.2d 212 (4th Cir. 1962) (affirming order against corporation offering debt collection services to businesses and professionals); United States Ass’n of Credit Bureaus v. FTC, 299 F.2d 220 (7th Cir. 1962) (modifying and enforcing order against provider of collection services to businesses); FTC v. Kitco of Nevada, Inc., 612 F. Supp. 1282, 1296-97 (D. Minn. 1985) (permanent injunction entered against seller of business opportunities).


33

fraud losses, and many Plaintiffs are credit unions, which are non-profit

cooperatives that act on behalf of and are owned by tens of millions of consumers.

Compl. ¶ 63. Moreover, the “class of persons” requirement in the negligence per se

analysis is not as narrow as Home Depot asserts. It cannot be disputed that the

purpose of the FTC’s standard is to prevent data breaches such as the one that

occurred, bringing Plaintiffs within its scope. See Atlanta & W. Point R.R. Co. v.

Underwood, 126 S.E.2d 785, 787-88 (Ga. 1962) (holding that a railroad was within

the class of persons protected by a statute requiring taxis to stop before crossing its

tracks because, even though primarily intended to protect passengers, the statute’s

purpose was to prevent collisions).

III. PLAINTIFFS STATE VALID CLAIMS FOR EQUITABLE RELIEF

Plaintiffs seek equitable relief pursuant to the Declaratory Judgment Act, 28

U.S.C. § 2201 et seq., and various state statutes. Plaintiffs allege there is a

continuing controversy relating to the scope of Home Depot’s data security

obligations and the inadequacy of its current practices. Compl. ¶¶ 278-82.

Plaintiffs further allege there is a real, immediate, and substantial risk of another

data breach and resultant future harm, and, if another breach occurs, their legal

remedies will be inadequate. Id. ¶ 282. Therefore, Plaintiffs seek a declaration that

Home Depot is failing to use reasonable security measures and that to comply with


34

its legal obligations, id. ¶¶ 280.a, 280.b, Home Depot must implement specified

additional security measures, id. ¶ 281.a-h. Such allegations are sufficient at the

pleading stage. See Adobe, 66 F. Supp. 3d at 1215, 1221-22 (denying a motion to

dismiss a declaratory relief claim challenging the adequacy of existing security

measures); Sony, 996 F. Supp. 2d at 999 (same); Target (Consumer Track), 66 F.

Supp. 3d. at 1161 (refusing to dismiss claim for injunctive relief).

Plaintiffs do not assert a “stand-alone claim” for an injunction or seek an

injunction as a remedy for negligence, as Home Depot contends. Rather, Plaintiffs

permissibly seek an injunction as an ancillary remedy under the Declaratory

Judgment Act.11 See 28 U.S.C. § 2202 (allowing “[f]urther necessary or proper

relief based on a declaratory judgment”); Powell v. McCormack, 395 U.S. 486, 499

(1969) (“A declaratory judgment can . . . be used as a predicate to further relief,

including an injunction.”) (citation omitted); 7AA CHARLES A. WRIGHT, ET AL.,

FEDERAL PRACTICE AND PROCEDURE § 1775 (3d ed. 2008) (“Because of the close

nexus between injunctive and declaratory relief, it is quite common for parties

seeking a declaration of their rights also to include a request for an injunction.”).

11 In addition, injunctive relief is available under the state statutes Plaintiffs invoke. See, e.g., Kwikset Corp. v. Superior Court, 246 P.3d 877, 895 (Cal. 2011) (injunctions are primary form of relief under California’s UCL); Conn. Gen Stat. § 42-110g; Fla. Stat. Ann. § 501.211(1); 815 ILCS 505/10a(c); Mass. Gen. Laws Ann. ch. 93A § 11; Wash. Rev. Code § 19.86.090.


35

Home Depot also asserts Plaintiffs’ equitable claims fail because the

problems that led to the breach have been fixed, eliminating any likelihood of a

future breach. However, Plaintiffs dispute this assertion, alleging that there is a

substantial risk of another breach due to continuing security problems at Home

Depot, particularly in light of its longstanding, lackadaisical approach to data

security, its failure to heed repeated warnings about vulnerabilities and the fact that

a massive breach has already occurred due to its misconduct. Plaintiffs’ allegations

are sufficient to show that “there is a substantial controversy, between parties

having adverse legal interests, of sufficient immediacy and reality to warrant the

issuance of a declaratory judgment.” MedImmune, Inc. v. Genentech, Inc., 549

U.S. 118, 127 (2007) (quotations omitted); Strickland v. Alexander, 772 F.3d 876,

883-85 (11th Cir. 2014) (reversing dismissal of declaratory relief claim because the

risk of future harm was not, as the trial court found, remote). As a result, dismissal

of Plaintiffs’ equitable claims would be improper.12 See, e.g., Adobe, 66 F. Supp.

3d at 1215, 1221-22; Sony, 996 F. Supp. 2d at 999.

Next, Home Depot argues that Plaintiffs have not alleged the absence of an 12 Home Depot’s reliance on Tiller v. State Farm Mut. Auto. Ins. Co., No. 1:12-CV-3432-TWT, 2013 WL 451309 (N.D. Ga. Feb. 5, 2013), aff’d, 549 F. App’x 849 (11th Cir. 2013) and Bolin v. Story, 225 F.3d 1234, 1242 (11th Cir. 2000), is misplaced. As described above, Plaintiffs seek prospective relief to redress continuing harm from Home Depot’s ongoing data security deficiencies that is not duplicative of their claims for money damages.


36

adequate legal remedy. But Plaintiffs have alleged they will not have an adequate

legal remedy if another breach occurs. Compl. ¶ 282. For example, many of the

injuries that will result from a future breach may not be readily quantifiable, such

as loss of good will and damage to Plaintiffs’ relationships with customers.

Because Plaintiffs have plausibly pled irreparable injury, unlike the plaintiffs in In

re Atlas Roofing Corp. Chalet Shingle Products Liability Litigation, No. 1:13-md-

2495-TWT, 2015 WL 114285, at *2 (N.D. Ga. Jan. 8, 2015), their claim for

injunctive relief should not be dismissed. See In re Managed Care Litig., 298 F.

Supp. 2d 1259, 1308 (S.D. Fla. 2003) (“whether money damages will prove to be

an adequate remedy at law cannot be determined” at the pleading stage).

Finally, the Association Plaintiffs have standing to sue on behalf of their

members. See, e.g., id.; Hunt v. Wash. State Apple Adver. Comm’n, 432 U.S. 333,

343 (1977). The sole basis for Home Depot’s challenge is an argument that

participation of the Association Plaintiffs’ members is required, which if true

would defeat associational standing. Id. Yet, members’ participation is not required

for the issues on which the Association Plaintiffs seek equitable relief – Home

Depot’s legal duties regarding data security, the adequacy of its current security

practices and whether particular safeguards are needed. These issues turn entirely

on Home Depot’s conduct, not that of the association’s members. See In re


37

Managed Care, 298 F. Supp. 2d at 1307-08 (“it is well-established that an

association may seek equitable relief on behalf of its members without running

afoul” of the member participation requirement). And, in any event, the

Association Plaintiffs have standing in their own right because they have and will

be forced to divert resources to deal with Home Depot’s data security problems

and their mission of assisting their members has been and will be frustrated.

Compl. ¶¶ 62-80. See Arcia v. Fla. Sec’y of State, 772 F.3d 1335, 1341-42 (11th

Cir. 2014) (diversion of resources confers standing on an association).

IV. PLAINTIFFS ADEQUATELY ALLEGE STATUTORY CLAIMS

Plaintiffs assert claims under statutes in eight states. Home Depot incorrectly

asserts each claim must be dismissed. Before turning to Home Depot’s specific

contentions, however, Plaintiffs emphasize four overarching principles governing

their statutory claims: state statutes prohibiting unfair practices are liberally and

broadly construed to protect the public; they allow businesses to sue for violations;

in construing the statutes, courts look for guidance to federal court decisions and

FTC actions interpreting Section 5 of the FTC Act; and whether conduct

constitutes an unfair practice is a decision for the trier of fact. See Exhibit A.

A. Plaintiffs Have Standing to Assert Statutory Claims.

Home Depot makes no new standing arguments relating to the statutory


38

claims, repeating arguments made earlier in its brief. Plaintiffs already have shown

they have Article III standing. See, e.g., Adobe, 66 F. Supp. 3d at 1218.

B. Plaintiffs Have Alleged an Unfair Practice Under Each Statute.

Unlike Roger Federer’s exquisite forehand, Home Depot’s mishit in

contending Plaintiffs have not alleged an unfair practice lands well wide of the

line. Plaintiffs allege Home Depot’s failure to maintain reasonable data security

measures constitutes an unfair trade practice under each statute. Compl. ¶¶ 224-28,

229-35, 240-44, 245-47, 249-54, 255-60, 267-72, 273-77.

Furthermore, as discussed above and pled in the complaint, the FTC has

repeatedly taken the position that inadequate security measures violate Section 5,

issued guidance to businesses, and pursued repeated enforcement actions in the

aftermath of data breaches involving problems similar to those at Home Depot.

See, e.g., Wyndham, 10 F. Supp. 3d at 608-09, 616-17, 624-25; BJ’s Wholesale

Club, 140 F.T.C. 465, 467 ¶ 7 (2005) (Sept. 20, 2005); CardSystems Solutions,

Inc., No. C-4168, 2006 WL 2709787 (F.T.C. Sep. 5, 2006); Life is Good, Inc., No.

C-4218, 2008 WL 1839971 (F.T.C. April 16, 2008); TJX Cos., No. C-4227, 2008

WL 3150421 (F.T.C. July 29, 2008). Indeed, in January, 2014, the FTC announced

its 50th data-security settlement.13 The FTC’s consistent interpretation of Section 5

13 See www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf.


39

supports Plaintiffs’ allegation that inadequate security measures constitute an

unfair practice. Particularly in light of the statutory directive that courts defer to the

FTC’s interpretation, dismissal of Plaintiffs’ statutory claims would be

inappropriate.

C. Plaintiffs Plead All Essential Elements of Each Statute.

(1) Alaska

Home Depot argues Plaintiffs do not have a claim in Alaska because its

statute lists 57 specific violations, none of which apply here. However, the

statutory list of unfair or deceptive acts is non-exclusive, Alaska Stat. Ann. §

45.50.471(b) (“[t]he terms ‘unfair or deceptive acts or practices’ include, but are

not limited to, the [listed] acts”) (emphasis added), and includes a violation of

Alaska’s data breach statute, which requires timely disclosure of data breaches, id.

§ 45.50.471(b)(55). Further, the statute, like the FTC Act, generally prohibits

unfair practices and in construing its provisions the statute directs courts to give

“due consideration and great weight” to the FTC’s interpretations of Section 5,

Alaska Stat. Ann. §§ 45.50.471 and 45.50.545, which include as an unfair act

inadequate data security practices. And the statutory definition of “unfair” acts is

the same as used by other courts which have refused to reject similar claims in data

breach cases such as Adobe, TJX Cos., and Michael Stores, as described below. See


40

State v. O’Neill Investigations, Inc., 609 P.2d 520, 535 (Alaska 1980).

(2) California

California’s UCL prohibits “any unlawful, unfair or fraudulent business act

or practice.” Cal. Bus. & Prof. Code § 17200; see generally Miller v. Bank of Am.,

No. CGC-99-301917, 2004 WL 2403580, at *19 (Cal. Super. Ct. Oct. 13, 2004).

Plaintiffs properly assert claims under both the “unfair” and “unlawful” prongs.

The “unfair” prong is met because, as Plaintiffs allege, Home Depot’s failure

to have reasonable security measures constitutes immoral, unethical, oppressive

and unscrupulous activity, causing substantial injury to consumers and businesses,

without providing any benefit to consumers or competition. Compl. ¶ 233. Home

Depot also violated public policy requiring that businesses safeguard customer data

as reflected in the California Constitution and statutes such as the Online Privacy

Protection Act, Cal. Bus. & Prof. Code § 22578; Information Practices Act, Cal.

Civ. Code § 1798.1; and Cal. Civ. Code § 1798.81.5(a). Such allegations are

sufficient to survive a motion to dismiss. See Adobe, 66 F. Supp. 3d at 1225-27.

The “unlawful” prong of the UCL prohibits “anything that can properly be

called a business practice and that at the same time is forbidden by law.” Cel-Tech

Commc’ns, Inc. v. L.A. Cellular Tel. Co., 973 P.2d 527, 560 (Cal. 1999). Plaintiffs

plausibly plead that Home Depot violated the California Customer Records Act


41

(“CRA”), Cal. Civ. Code § 1798.81.5(b), which requires a business to maintain

reasonable procedures to protect personal information about California residents

from unauthorized access or use. Compl. ¶¶ 230, 235. This CRA violation creates

liability under the UCL’s unlawful prong. See Adobe, 66 F. Supp. 3d at 1225-27.

Home Depot asserts Plaintiffs have no claim under the UCL based on CRA

violations because the CRA does not allow businesses to sue.14 That the CRA can

be enforced only by consumers, however, does not mean conduct the CRA

prohibits cannot be redressed by businesses under the UCL. See Adobe, 66 F.

Supp. 3d at 1225 (the UCL allows plaintiffs “to ‘borrow’ violations of other laws

and treat them as unlawful competition that is independently actionable”); Chabner

v. United of Omaha Life Ins. Co., 225 F.3d 1042, 1048 (9th Cir. 2000) (“It does not

matter whether the underlying statute also provides for a private cause of action;

section 17200 can form the basis for a private cause of action even if the predicate

statute does not.”); Zhang v. Superior Court, 304 P.3d 163, 171-72 (Cal. 2013)

(violation of a statute lacking a private right of action may support a UCL claim). 14 In discussing the UCL claim, Home Depot notes in passing that Plaintiffs are not consumers. HD Br. at 44. If Home Depot is suggesting Plaintiffs cannot sue under the UCL, it is wrong. The UCL allows a claim to be brought by an injured “person,” which is defined to include “natural persons, corporations, firms . . . associations and other organizations of persons.” Cal. Bus. & Prof. Code §§ 17201, 17204. Businesses routinely sue under the UCL. See, e.g., Blizzard Entm’t, Inc. v. Ceiling Fan Software LLC, 28 F. Supp. 3d 1006 (C.D. Cal. 2013); Iconix, Inc. v. Tokuda, 457 F. Supp. 2d 969 (N.D. Cal. 2006).


42

(3) Connecticut

Home Depot argues that when liability under CUTPA is based upon

“passive conduct,” the plaintiff must show the defendant had a legal duty to

perform a particular act, which Plaintiffs purportedly cannot do. However, as

shown above, Home Depot owed a duty to Plaintiffs to have adequate data security

measures. Further, Plaintiffs allege that Home Depot engaged in far more than

passive conduct, including interfering with efforts to fix its data security problems,

turning off security features of its security software, and, unlike the defendant in

Downes-Patterson Corp. v. First National Supermarkets, Inc., 780 A.2d 967

(Conn. App. Ct. 2001), intentionally deciding not to act despite having been

warned for years about the need for improvements. Perola v. Citibank (S.D.) N.A,

the other case Home Depot cites, also is distinguishable; the plaintiff’s CUTPA

claim was dismissed because it was predicated on previously dismissed claims and

she had not suffered an ascertainable loss caused by the defendants’ conduct, 894

F. Supp. 2d 188, 205-06 (D. Conn. 2012). Home Depot’s other argument – that

Plaintiffs’ injuries were not proximately caused by the breach – is addressed above.

Plaintiffs have alleged proximate cause, which is quintessentially a jury question.

(4) Florida

Home Depot wrongly challenges Plaintiffs’ FDUTPA claim on the ground


43

that only consumers purportedly have a right of action. The statute’s express

purpose is to “protect the consuming public and legitimate business enterprises

from those who engage in . . . unfair acts or practices.” Fla. Stat. Ann. § 502.202(2)

(emphasis added). While initially limited to consumers, FDUTPA was

substantially amended in 1993 and 2001 to delete that limitation and to broaden the

definition of “consumer” to include “any commercial entity.” James D. Hinson

Elec. Contracting Co. v. BellSouth Tel., Inc., No. 3:07-cv-598-J-32MCR, 2008 WL

360803, at *2-3 (M.D. Fla. Feb. 8, 2008). As a result, FDUTPA does not require a

plaintiff be a consumer.15 See, e.g., id.; Kelly v. Palmer, Reifler, & Assocs., P.A.,

681 F. Supp. 2d 1356, 1373-74 (S.D. Fla. 2010); Intercoastal Realty, Inc. v. Tracy,

706 F. Supp. 2d 1325, 1334 (S.D. Fla. 2010); In re Heartland Payment Sys. Inc.

Customer Data Breach Sec. Litig., 834 F. Supp. 2d 566, 604 (S.D. Tex. 2011).

(5) Illinois

Home Depot’s assertion that the failure to maintain adequate data security

measures does not state a claim under the ICFA is incorrect. See In re Michaels

Stores Pin Pad Litig., 830 F. Supp. 2d 518 (N.D. Ill. 2011) (denying motion to

dismiss a claim alleging that the failure to comply with industry data security

standards and to properly notify consumers constituted unfair practices under the 15 The cases that have held to the contrary were decided before the amendments, mistakenly relied upon decisions that pre-dated the amendments, or are flat wrong.


44

ICFA). The sole case relied upon by Home Depot – Garrett v. RentGrow, Inc. –

did not involve a data breach or data security issues and thus is not relevant. No. 04

C 8309, 2005 WL 1563162 (N.D. Ill. July 1, 2005).

(6) Massachusetts

Home Depot relies upon one case – Jasty v. Wright Med. Tech., Inc., 528

F.3d 28, 37 (1st Cir. 2008) – for its argument that inadequate data security

measures are outside the scope of MCPA. Jasty, which does not involve data

security issues, is inapplicable. In a data security case, the First Circuit later held

that allegations of inadequate security practices state an unfair practices claim

under the MCPA. In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d at 496. In so

holding, the First Circuit addressed the typical definition of an unfair practice used

in state versions of the FTC Act – e.g., that the practice is immoral, unethical,

oppressive or unscrupulous – and concluded:

If the charges in the complaint are true . . . a court using these general FTC criteria might well find in the present case inexcusable and protracted reckless conduct, aggravated by failure to give prompt notice when lapses were discovered internally, and causing very widespread and serious harm to other companies and to innumerable consumers. And such conduct, a court might conclude, is conduct unfair, oppressive and highly injurious – and so in violation of chapter 93A under the FTC’s interpretation.

Id. This conclusion applies to the other statutes under which Plaintiffs seek relief

which have the same definition of an unfair act or practice. See, e.g., Michaels


45

Stores, 830 F. Supp. 2d at 526 (relying upon TJX)).

(7) Minnesota

Plaintiffs allege Home Depot violated the Minnesota Plastic Card Security

Act (“MPCSA”) by retaining certain consumer data longer than allowed. Minn.

Stat. § 325E.64, subd. 2. According to Home Depot, Plaintiffs’ allegations are

deficient. Yet, the complaint alleges Home Depot kept the data longer than allowed

by the statute. Compl. ¶ 265. Plaintiffs also specify the length of time Home Depot

kept the data. See, id. ¶ 88 (merchants such as Home Depot collect information

within the scope of the MPCSA); ¶ 89 (Home Depot stored massive amounts of

this data “for years” and “indefinitely”); ¶¶ 170-71, 174-75 (Home Depot violated

industry requirements prohibiting it from storing cardholder data longer than

necessary to process a transaction); and ¶ 211.a (Home Depot failed to delete

cardholder information no longer needed to authorize a transaction). Because

Plaintiffs have adequately pled all elements of their MPCSA claim, Home Depot’s

motion to dismiss should be denied. See Target (FI Track), 64 F. Supp. 3d at 1314

(denying a motion to dismiss a MPCSA claim under similar facts).

(8) Washington

Plaintiffs plausibly plead valid claims under two Washington statutes: (1)

Wash. Rev. Code § 19.255.020, which requires businesses to take reasonable care


46

to guard against unauthorized access to account information; and (2) the

Washington Consumer Protection Act (“WCPA”), Wash. Rev. Code § 19.86.020,

which prohibits unfair practices. An unfair or deceptive act under the WCPA can

be based on a per se violation of another statute if the violation proximately caused

the plaintiffs’ injury and the plaintiff is within the class protected by the statute.

Dempsey v. Joe Pignataro Chevrolet, Inc., 589 P.2d 1265, 1270 (Wash. Ct. App.

1979); Blake v. Fed. Way Cycle Ctr., 698 P.2d 578, 581-82 (Wash. Ct. App. 1985).

Alternatively, a violation can be shown through proof that the defendant’s conduct

is illegal and against public policy as declared by the legislature or the judiciary.

Salois v. Mut. of Omaha Ins. Co., 581 P.2d 1349, 1351 (Wash. 1978).

Plaintiffs amply plead all of these requirements, asserting Home Depot

violated Wash. Rev. Code § 19.255.020(3)(a) by failing to adequately safeguard

customers’ account information; the violation proximately caused injury to

Plaintiff Sound Community Bank and the Washington Subclass; and they are

within the class of persons the statute was meant to protect, which cannot be

seriously disputed because the statute specifically allows them to recover their

mitigation costs. Further, Home Depot’s misconduct was illegal under Wash. Rev.

Code § 19.255.020(3)(a) and violated the clear public policy that customer data be

protected as provided by the statute.


47

Home Depot asserts it has a defense if at the time of the breach it was

certified to be compliant with industry standards. According to Home Depot,

because the complaint is silent about whether such a certificate existed, the

Washington claim must be dismissed. This argument has no merit. Plaintiffs, in

fact, allege that Home Depot did not comply with industry standards at the time of

the breach, an outside investigator has so found, and Home Depot has a history of

misrepresenting its security procedures to certifying entities. Compl. ¶¶ 174-75,

178. In any event, Plaintiffs are under no obligation to negate an affirmative

defense in their pleadings. See Dekalb Cnty. v. HSBC N. Am. Holdings, Inc., No.

1:12-CV-03640-SCJ, 2013 WL 7874104, at *2 (N.D. Ga. Sept. 25, 2013).

V. PLAINTIFFS’ CLAIMS ARE RIPE

In a transparent attempt to delay this case indefinitely, Home Depot seeks

dismissal on ripeness grounds of all Plaintiffs’ claims because a “substantial

portion” of the alleged injuries are “potentially recoverable” through the so-called

Card Brand Recovery Process. Home Depot relies on three cases that apply the

ripeness doctrine to dismiss constitutional challenges to government laws and

actions. Significantly, Home Depot has not cited a single instance in which a

similar argument has ever been made, let alone adopted, in a case similar to this

one. That is for good reason. Applying the ripeness doctrine here makes no sense.


48

A claim is ripe if the controversy is “definite and concrete, touching the

legal relations of parties having adverse legal interests.” Aetna Life Ins. Co. of

Hartford, Conn. v. Haworth, 300 U.S. 227, 240-41 (1937). Ripeness is rarely, if

ever, questioned in an action, such as this one, seeking damages for past conduct.

See Forum Architects LLC v. Candela, No. 1:07cv190/SPM/AK, 2008 WL

5101779 at *4 (N.D. Fla. Nov. 26, 2008) (“The overwhelming majority of cases

that raise the question of ripeness involve disputes that challenge, on constitutional

grounds, the validity of a statute or the actions of a governmental body, local

authority, or agency.); Gemtel Corp. v. Cmty. Redev. Agency of L.A., 23 F.3d 1542,

1545 (9th Cir. 1994) (“It is hard to see how a claim for damages could be unripe.

Either a cause of action has accrued, so it is ripe, or it has not yet accrued, so the

complaint fails to state a claim upon which relief can be granted.”).

Plaintiffs allege they suffered actual economic loss. Their claims do not

hinge on “uncertain and contingent future events that may not occur as anticipated,

or indeed may not occur at all” as required to apply the ripeness doctrine. See FEC

v. Lance, 635 F.2d 1132, 1138 (5th Cir. 1981) (citation omitted). If anything, it is

the so-called Card Brand Recovery Process that is the uncertain, contingent future

event. The process is not mentioned in the complaint, only vaguely described in

case law cited by Home Depot, and should not even be considered at this stage. See


49

Banknorth, N.A., 394 F. Supp. 2d at 287.

Plaintiffs expect discovery will show the recovery processes are voluntary,

non-binding, provide limited compensation and do not require participants to

release any claims or forego litigation. See Pa. State Emps. Credit Union v. Fifth

Third Bank, No. 1:CV-04-1554, 2006 WL 1724574, at *6 (M.D. Pa. Jun. 16, 2006)

(the process does not “eliminate a member’s right to pursue other legal remedies

that may be available outside the Visa compliance system, for example a fraud or

negligence claim”). Indeed, an unsuccessful attempt to use MasterCard’s process

to settle claims in the Target MDL provided such meager compensation that Judge

Magnuson noted the proposed settlement was not “fair and reasonable” and failed

to “pass the smell test.” In re Target Corp. Customer Data Sec. Breach Litig.,

MDL No. 14-2522, 2015 WL 2165432, at *2 (D. Minn. May 7, 2015).

If some Plaintiffs choose to participate in a recovery process and receive

some compensation for their injuries, Home Depot may have a right of set off. But,

there is no basis to find that their existing damage claims are not ripe because of

the possibility of some future recoveries from a non-party. Accordingly, Home

Depot’s ripeness argument should be rejected.


50

CONCLUSION

For the reasons set forth in this brief, Home Depot’s motion to dismiss

should be denied in its entirety.

Date: August 19, 2015 Respectfully submitted,

s/ Kenneth S. Canfield Kenneth S. Canfield, Ga. Bar # 107744 DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree St., NE, Suite 1600 Atlanta, Georgia 30309-3238 Telephone: 404-881-8900 [email protected] Co-lead Counsel

Joseph P. Guglielmo Erin Green Comite SCOTT+SCOTT, ATTORNEYS AT LAW, LLP 405 Lexington Avenue New York, New York 10174 Telephone: 212-594-5300 [email protected] [email protected] Co-lead Counsel

Gary F. Lynch Jamisen Etzel CARLSON LYNCH SWEET& KILPELA, LLP 1133 Penn Avenue, 5th Floor Pittsburgh, Pennsylvania 15222 Telephone: 412-322-9343 [email protected] [email protected] Co-lead Counsel

W. Pitts Carr W. PITTS CARR AND ASSOCIATES, PC 4200 Northside Parkway, NW Building 10 Atlanta, Georgia 30327 Telephone: 404-442-9000 [email protected] Co-liaison Counsel

Ranse M. Partin CONLEY GRIGGS PARTIN, LLP 1380 West Paces Ferry Road NW Suite 2100 Atlanta, Georgia 30327 Telephone: 404-467-1155 [email protected] Co-liaison Counsel


51

Plaintiffs’ Steering Committee

James H. Pizzirusso Swathi Bojedla HAUSFELD LLP 1700 K Street, NW, Suite 650 Washington, DC 20006 Telephone: 202-540-7200 [email protected] [email protected] Plaintiffs’ Steering Committee Chair Joseph Hank Bates III CARNEY BATES & PULLIAM 17 Washington Ave., N., Suite 300 Minneapolis, MN 55401 Telephone: 501-312-8500 [email protected] Bryan L. Bleichner CHESTNUT CAMBRONNE, PA 17 Washington Avenue North Suite 300 Minneapolis, MN 55401 Telephone: 612-339-7300 [email protected] Brian C. Gudmundson ZIMMERMAN REED, PLLP 1100 IDS Center 80 South 8th Street Minneapolis, MN 55042 Telephone: 612-341-0400 [email protected]

Robert N. Kaplan KAPLAN FOX & KILSHEIMER 850 Third Ave., 14th Floor New York, New York 10022 Telephone: 212-687-1980 [email protected] W. Daniel Miles, III Andrew E. Brasher Leslie L. Pescia BEASLEY ALLEN CROW MEHTVIN PORTIS & MILES P.O. Box 4160 218 Commerce Street Montgomery, Alabama 36103 Telephone: 334-269-2343 [email protected] Arthur M. Murray MURRAY LAW FIRM 650 Poydras Street, Suite 2150 New Orleans, Louisiana 71030 Telephone: 505-525-8100 [email protected] Karen H. Riebel LOCKRIDGE GRINDAL NAUEN 100 Washington Ave. S., Suite 2200 Minneapolis, MN 55401 Telephone: 612-339-6900 [email protected]


52

Vincent J. Esades David R. Woodward HEINS MILLS & OLSON, PLC 310 Clifton Avenue Minneapolis, MN 55403 Telephone: 612-338-4605 [email protected] [email protected] Andrew N. Friedman COHEN MILLSTEIN SELLERS TOLL 1100 New York Ave., NW East Tower, 5th Floor Washington, DC 20005 Telephone 202-408-4600 [email protected]

Thomas A. Withers GILLEN WITHERS & LAKE 8 E. Liberty Street Savannah, Georgia 31401 Telephone: 912-447-8400 [email protected]

Co-Counsel for Financial Institution Plaintiffs MaryBeth V. Gibson THE FINLEY FIRM, P.C. Piedmont Center 3535 Piedmont Road Building 14, Suite 230 Atlanta, GA 30305 Telephone: 404-320-9979 [email protected]


53

CERTIFICATION

The Undersigned hereby certifies, pursuant to Local Civil Rule 7.1D, that

the foregoing document has been prepared with one of the font and point selections

(Times New Roman, 14 point) approved by the Court in Local Civil Rule 5.1C.

/s/ Kenneth S. Canfield . Kenneth S. Canfield DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree St., NE, Ste. 1600 Atlanta, Georgia 30309-3238 Phone: 404-881-8900 Fax: 404-881-3017 KCanfield&Dsckd.com


54

CERTIFICATE OF SERVICE

I hereby certify that on August 19, 2015, I served all parties by causing a

true and correct copy of the foregoing Financial Institution Plaintiffs’

Memorandum in Opposition to Home Depot’s Motion to Dismiss to be filed with

the clerk of court using the CM/ECF system, which automatically sends a copy to

all counsel registered to receive service.

/s/ Kenneth S. Canfield . Kenneth S. Canfield

Co-Lead Counsel for the Financial Institution Plaintiffs


IN THE UNITED STATES DISTRICT COURT NORTHERN...

Documents

Transcript of IN THE UNITED STATES DISTRICT COURT NORTHERN...