Home Depot Settles With 46 States for 2014 Data Breach: Lessons from the Trenches
What Happened?
Between April 10 and September 13, 2014, Home Depot stores throughout the United States fell victim to a data breach when hackers gained access to self-checkout point-of-sale systems and retrieved customer payment card information. In 2016, Home Depot settled a class action suit brought on behalf of the many consumer victims of the breach for $13 million. Now, Home Depot has agreed to a settlement of $17.5 million split between forty-six plaintiff states as a result of the 2014 breach. In addition to this monetary penalty, Home Depot must also implement several mandatory data security safeguards.
What Does This Mean for My Company?
Home Depot is not the first—and certainly will not be the last—company whose data security practices have come under scrutiny. In July 2019, Equifax paid $700 million to settle federal and state investigations into the now infamous 2017 data breach. Likewise, in September of this year, Anthem paid $39.5 million following an investigation into a 2014 data breach.
The signs are clear that neither scale nor time will reduce the investigation and rectification of data breaches in the United States. In addition to Attorneys General investigations, the Federal Trade Commission, the Consumer Financial Protection Bureau, and even the Federal Bureau of Investigation can launch investigations into data security practices. California has also recently passed the Consumer Privacy Rights Act, which creates a separate privacy protection agency responsible for enforcing data privacy rights within the state (for a recent update on the CPRA, see here). Beyond the United States, the European Union has been actively enforcing the General Data Protection Regulation, resulting in hefty fines for companies that do not adequately protect consumer data. All this in addition to private actions from impacted data subjects.
The data privacy landscape, both domestically and abroad, is evolving. As such, now is the time to review and update your data security and privacy practices with learnings from recent incidents, such as the 2014 Home Depot breach. The below safeguards, which must be implemented by Home Depot, represent the minimum security measures that should be in place for any business that collects and maintains personal information:
- Establish an appropriate data infrastructure: the amount you invest will depend on how much data you collect, how sensitive it is, and how you use that data. In any case you must have a defensible security protocol.
- Perform regular data audit and mapping exercises: identifying the data you collect, where you store that data, from whom you collect, and with whom you share data is necessary to ensure compliance with regional, national, and international privacy and security laws.
- Coordinate with data privacy professionals: whether hiring employees to oversee your data privacy and security practices or receiving advice of outside counsel, seeking the help of privacy experts can improve your data practices and help avoid or mitigate potential unnecessary costs in the future.
What Are the Settlement Requirements for Home Depot?
As part of its settlement, Home Depot has agreed to implement a program, along with other safeguards, in order to prevent future breaches from occurring. While these safeguards are a step in the right direction, they do not represent the full range of possible data privacy safeguards, nor are they necessarily appropriate for all businesses.
1. Information Security Program
As part of the settlement, Home Depot must first implement and maintain a robust information security program, which must be commensurate in scale to Home Depot’s size, the scope of its operations, and the sensitivity of the personal data that is collected. In order to oversee this program, Home Depot must also employ a qualified Chief Information Security Office, who reports directly to the CEO and the Board of Directors on matters related to Home Depot’s security posture. As further part of this program, Home Depot has 180 days to provide security and privacy training to all personnel whose job involves access to the company network or consumers’ personal information.
2. Specific Safeguards
Beyond the general requirements of a formal Information Security Program, the settlement also requires Home Depot to implement certain specific safeguards to ensure ongoing protection of consumer data. These safeguards include:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Home Depot has one year to implement these protocols, after which an independent security assessment will be performed by a certified information systems security professional or a certified information systems auditor.
For additional guidance, please contact a member of the Privacy and Data Security Team.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.