January 25, 2021

Volume XI, Number 25


January 22, 2021

Subscribe to Latest Legal News and Analysis

Home Depot Agrees to Pay $17.5 Million in Multistate Settlement Following 2014 Data Breach

On November 24, 2020, a multistate coalition of Attorneys General announced that The Home Depot, Inc. (“Home Depot”) agreed to pay $17.5 million and implement a series of data security practices in response to a data breach the company experienced in 2014. The $17.5 million payment will be divided among the 46 participating states and the District of Colombia. We previously reported on a settlement Home Depot reached in 2017 to resolve a putative class action brought by financial institutions impacted by the 2014 data breach.

The 2014 breach occurred when unauthorized parties gained access to Home Depot’s network and installed malware on the company’s self-checkout point-of-sale system, allowing the attackers to obtain payment card information from customers who used self-checkout registers in Home Depot stores between April 10, 2014 and September 13, 2014. Approximately 56 million payment card numbers were compromised, and the stolen information was used to conduct fraudulent transactions. Home Depot publicly disclosed the breach in September 2014.

In addition to the $17.5 million settlement, Home Depot agreed to implement various data security measures, including:

  • employing a qualified chief information security officer who will report to both senior or C-suite executives and the board of directors regarding Home Depot’s security posture and identified security risks;

  • ensuring the company allocates appropriate resources to implement and maintain its information security program;

  • providing appropriate security awareness and privacy training to all personnel who have access to the company’s network or who are otherwise responsible for processing U.S. consumers’ personal information;

  • employing specific information security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection and vendor management; and

  • undergoing an assessment that will evaluate, in part, Home Depot’s implementation of the information security program and controls described above.

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 330



About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct