Readers of CPW are no doubt familiar with the pattern of litigation following the announcement of a data breach as individuals impacted seek monetary damages and injunctive relief for the disclosure of their personal information. (For some of CPW’s prior posts on this topic, check out here and here). Aside from the threat of litigation commenced by private parties also hovers the specter of scrutiny from state attorneys general (who have the authority under state consumer protection laws to police against unfair and deceptive acts and/or practices, including in the realm of cybersecurity). A settlement The Home Depot (“Home Depot”) entered into recently underscores this risk.
The settlement concerns a data breach Home Depot announced in September 2014 that impacted the payment card information of approximately forty (40) million consumers. At the time, Home Depot reported that it had discovered unauthorized access to, and theft of, payment card information at its stores in the United States. In addition to payment card information, intruders obtained a file containing the email addresses of approximately fifty-three (53) million consumers. An internal investigation revealed that in April 2014, hackers gained access to Home Depot’s computer network and deployed malware to point-of-sale systems. This malware was utilized to capture consumers’ card payment data, which was then exfiltrated and used by third parties.
Last month, it was announced that Home Depot had entered into a $17.4 million, multistate settlement with the Attorneys General of 46 states and the District of Columbia (participating states include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and Wisconsin).
Besides the monetary payment, Home Depot agreed with execution of the settlement to implement and maintain a series of data security practices. This includes, among other measures:
- Develop a comprehensive information security program that is reasonably designed to protect the security, integrity and confidentiality of the personal information Home Depot collects or obtains from customers;
- Employ a qualified Chief Information Security Officer who will report to both the Senior or C-suite executives and Board of Directors regarding Home Depot’s security posture and security risks;
- Provide resources necessary to fully implement the company’s information security program;
- Provide security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;
- Adopt security safeguards with respect to logging and monitoring, access controls, password management, two factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and
- Obtain (consistent with other state data breach settlements) an information security assessment and report from a third-party professional to assess Home Depot’s handling of consumer personal information and compliance with its information security program.
Home Depot is not the first entity to enter into such an agreement in the wake of a data breach and it certainly will not be the last. Stay tuned.