Home Depot Takes One More Step Toward Putting the 2014 Data Breach In the Past

One of the recurring themes that we stress is the need for businesses to implement significant data security programs and protections in advance of a data incident. The message is simple: it is better to be cautious now rather than scurry for remedial measures post-breach. The Home Depot settlement recently announced proves the value of our warning.

In September 2014, Home Depot announced that payment card data for over 50 million customers was compromised in a five-month cybersecurity attack on its payment terminals. Hackers stole payment card data from customers who made purchases at self-checkout terminals from April 10, 2014 to September 13, 2014. The fallout from this data breach included Congressional hearings, consumer class action lawsuits and lawsuits by financial institutions. In 2016, Home Depot agreed to pay up to $19.5 million to U.S. customers affected by the data breach.

This month, Home Depot took another step toward putting the data breach incident behind the company. In a settlement filed with the U.S. District Court in the Northern District of Georgia, Home Depot agreed to a $25 million settlement for damages incurred by financial institutions for canceling and reissuing payment cards, reimbursing customers for fraudulent charges, and other out-of-pocket expenses incurred in responding to the data breach. The settlement consists of the following payments by Home Depot:

  • $25 million into a fund to compensate settlement class members for their alleged injuries fairly traceable to the data breach; and
  • Up to $2.25 million to independent sponsored entities.

Home Depot also agreed to adopt and implement the following data security measures for two years following the execution of the settlement agreement:

  • Design and implement reasonable safeguards to manage the risks identified through its data security risk assessments, track and manage the risk assessments using a risk exception process which involves leadership, and review the process annually.
  • Develop and use reasonable steps to select IT service providers and vendors capable of maintaining security practices consistent with the requirements set forth in the agreement, and annually assess the providers and vendors.
  • Design and implement an industry recognized security control framework appropriate for the Home Depot environment.

In addition to the $25 million amount pursuant to this settlement, it is reported that Home Depot has paid more than $140 million to financial institutions in connection with the data breach.  Those payments include $14.5 million to MasterCard and Visa issuers, $79 million under Visa’s GCAR Program, and $41 million under MasterCard’s ADC program to partially compensate the financial institutions for their losses resulting from the data breach.

The Settlement Agreement and Release is subject to final approval by the U.S. District Court.

Share via
Copy link
Powered by Social Snap