December 8, 2022

Volume XII, Number 342


December 07, 2022

Subscribe to Latest Legal News and Analysis

December 06, 2022

Subscribe to Latest Legal News and Analysis

December 05, 2022

Subscribe to Latest Legal News and Analysis

Home Depot Enters Into Multistate $17.4 Million Settlement With State AGs Concerning Data Breach

Readers of CPW are no doubt familiar with the pattern of litigation following the announcement of a data breach as individuals impacted seek monetary damages and injunctive relief for the disclosure of their personal information.  (For some prior posts on this topic, check out here and here).  Aside from the threat of litigation commenced by private parties also hovers the specter of scrutiny from state attorneys general (who have the authority under state consumer protection laws to police against unfair and deceptive acts and/or practices, including in the realm of cybersecurity).  A settlement The Home Depot (“Home Depot”) entered into recently underscores this risk.

The settlement concerns a data breach Home Depot announced in September 2014 that impacted the payment card information of approximately forty (40) million consumers.  At the time, Home Depot reported that it had discovered unauthorized access to, and theft of, payment card information at its stores in the United States.  In addition to payment card information, intruders obtained a file containing the email addresses of approximately fifty-three (53) million consumers.  An internal investigation revealed that in April 2014, hackers gained access to Home Depot’s computer network and deployed malware to point-of-sale systems.  This malware was utilized to capture consumers’ card payment data, which was then exfiltrated and used by third parties.

Last month, it was announced that Home Depot had entered into a $17.4 million, multistate settlement with the Attorneys General of 46 states and the District of Columbia (participating states include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and Wisconsin).

Besides the monetary payment, Home Depot agreed with execution of the settlement to implement and maintain a series of data security practices.  This includes, among other measures:

  • Develop a comprehensive information security program that is reasonably designed to protect the security, integrity and confidentiality of the personal information Home Depot collects or obtains from customers;

  • Employ a qualified Chief Information Security Officer who will report to both the Senior or C-suite executives and Board of Directors regarding Home Depot’s security posture and security risks;

  • Provide resources necessary to fully implement the company’s information security program;

  • Provide security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;

  • Adopt security safeguards with respect to logging and monitoring, access controls, password management, two factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and

  • Obtain (consistent with other state data breach settlements) an information security assessment and report from a third-party professional to assess Home Depot’s handling of consumer personal information and compliance with its information security program.

Home Depot is not the first entity to enter into such an agreement in the wake of a data breach and it certainly will not be the last.  Stay tuned.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 344

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...