Data Breaches Can Cost $$ – Plus Ongoing Obligations (ask Home Depot): Lessons and Takeaways
The Home Depot, Inc. (“Home Depot”) recently entered into a multi-state Assurance of Voluntary Compliance with Attorneys General of 46 states and the District of Columbia (the “Settlement”) stemming from a massive 2014 data breach that exposed the payment card information of approximately 40 million Home Depot customers. In addition to the steep penalty, Home Depot is required to undergo an extensive security overhaul.
According to prior press releases from Home Depot and wide reporting on the incident, the data breach occurred when attackers gained access to Home Depot’s network and planted malware that allowed the attackers access to payment card information of Home Depot customers who used self-checkout lanes at Home Depot stores between April and September 2014.
The Settlement includes not only $17.5 million in monetary payments to the states, but also requires that Home Depot implement a series of information security measures and undertake a number of oversight and reporting obligations. Note that the Settlement is in addition to the estimated more than $180 million in reported payouts that Home Depot has already forked over in litigation with customers, card issuers, and banks as a result of the breach.
“Retailers must take meaningful steps to protect consumers’ credit and debit card information from theft when they shop,” said Massachusetts Attorney General Maura Healey in a press release announcing the Settlement, “This settlement ensures Home Depot complies with our state’s strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure.” Similarly, Virginia Attorney General Mark Herring noted, “Businesses that collect or maintain sensitive personal information have a heightened duty to keep that information secure. These companies must make it a top priority to implement and adhere to reasonable practices and procedures that will protect consumers’ information from bad actors.”
The terms of the Settlement make clear that Home Depot cannot pay its way out of this and go back to business as usual – instead, there are concrete requirements such as CEO and Board of Director reporting on security matters. This suggests that the Attorneys General were certain to ensure that top management could never claim ignorance about the security of their organization. The Settlement also requires other tasks that cannot simply be tucked away in a drawer and forgotten about, such as documentation of safeguards that Home Depot implements in response to annual risk assessments and penetration testing. The Settlement also requires that Home Depot operationalize extensive and specific vendor management requirements.
Settlement Security Obligations
Information Security Program
The Settlement requires Home Depot to implement a comprehensive information security program within 180 days that contains administrative, technical and physical safeguards appropriate to: (i) the size and complexity of Home Depot’s operations; (ii) the nature and scope of Home Depot’s activities; and (iii) the sensitivity of the personal information that Home Depot maintains.
Home Depot is also required to appoint a Chief Information Security Officer responsible for oversight of Home Depot’s implementation and maintenance of the information security program prescribed by the Settlement. The Chief Information Security Officer will have a direct line to top management, as the position is specifically required to advise the Chief Executive Officer and Board of Directors on Home Depot’s security posture, security risks, and security implications of Home Depot’s decisions.
Finally, the Settlement requires that Home Depot provide annual security and privacy training to all personnel whose job involves access to the company’s network or responsibility for customer personal information.
Required Specific Security Safeguards
Per the Settlement, Home Depot is required to include a laundry list of specific security safeguards in its information security program:
- Security Incidents: reasonably designed and implemented for appropriate handling and investigation of security incidents
- Network Software Support: maintain and support network software, taking into consideration the data security impact of updates
- Encryption: protocols and policies designed to encrypt personal information and sensitive information stored on laptops or other portable devices or when transmitted across public networks or wirelessly
- PCI-DSS Compliance
- Segmentation: policies and procedures to segment network and permit systems to communicate as necessary to perform their business and/or operational functions
- Logging and Monitoring: controls to manage access of any device attempting to connect to Home Depot’s Cardholder Data Environment (technologies that store, process, or transmit payment card authentication data), through tools such as firewalls, authentication credentials, or other such access-restricting mechanism
- SIEM: security information and event management tool to collect logs and monitor network activity
- Access Control and Account Audits: policies, procedures, and controls to manage and audit the use of Home Depot’s individual accounts, systems administrator accounts, service accounts, and vendor accounts, properly configured with unique user names and passwords, which shall be monitored for anomalous behavior indicative of a security event
- Password Management: password policies and procedures requiring risk-based controls to manage access to and use of Home Depot’s user accounts
- Two-Factor Authentication: required for Home Depot’s systems administrator accounts and for remote access into Home Depot’s network
- File Integrity Monitoring: controls to prevent and detect unauthorized modifications to critical applications or operating system files within the Cardholder Data Environment
- Firewalls: firewall policies and procedures to restrict connections between internal networks to the Cardholder Data Environment
- Payment Card Security: steps designed to manage the review and adoption of industry-accepted payment card security technologies
- Devalue Payment Card Information: take steps such as implementing encryption through the course of a retail transaction at an Home Depot store
- Risk Assessment Program:
- Identification of internal and external risks to personal information
- Assessment of safeguards in place to control these risks
- Evaluation and adjustment of the information security program in response
- Implementation of reasonable safeguards to control these risks; and
- Documentation of safeguards implemented in response to such annual risk assessments
- Penetration Testing: Annual penetration testing of internal and external network defenses, including documented remediation of identified vulnerabilities
- Intrusion Detection Solution
- Vendor Account Management: risk-based policies and procedures for auditing vendor compliance with Home Depot’s information security program, to include:
- Contractual requirements
- Periodic evaluations of vendor’s cybersecurity practices and compliance
- Onsite security reviews of critical vendors’ security practices
- Granting vendors the minimum access necessary to perform their duties and responsibilities; and
- Monitoring of IP addresses and login times typically associated with vendors
Home Depot is also required to obtain a third-party information security assessment and report to assess Home Depot’s handling of personal information and its compliance with the information security program prescribed by the Settlement. A copy of the report must be delivered to the Attorney General of each state included in the Settlement upon request.
Takeaways for Businesses
It is sometimes difficult to find concrete examples from governmental authorities of required or recommended security measures, often leaving businesses unsure of exactly which measures they should implement. This Settlement, on the other hand, provides an invaluable list of security requirements that businesses would be well-advised to consider making part of their information security program.
The Settlement also provides an important basic foundational framework for vendor security management that businesses may wish to consider as they onboard and manage their vendors that will have access to personal information and other sensitive data.
Finally, the Settlement serves as a reminder that failing to protect sensitive information can cost you millions, allow government regulators to force prescribed security requirements on your business, and put your company under a compliance microscope.