On November 24, 2020, the Attorneys General of forty-seven states and US territories announced a settlement agreement with The Home Depot, Inc., resolving a multistate investigation into the 2014 data breach that exposed payment card information of millions of Home Depot customers in the US and Canada. The settlement requires the payment of $17.5 million, divided between the 47 plaintiffs, as well as numerous enhancements to Home Depot’s security program. Among other things, Home Depot must:
- Employ a chief information security officer to oversee the implementation and maintenance of an information security program that is reasonably designed to protect the security, integrity and confidentiality of personal information obtained from consumers;
- Provide security awareness and privacy training to personnel with access to the company’s computer network or any consumer data collected by Home Depot;
- Maintain encryption protocols and policies designed to encrypt personal information stored on Home Depot devices and networks;
- Monitor and log network activity;
- Control and limit account access, and implement password policies and procedures and two-factor authentication for remote access and system administrator accounts;
- Conduct an annual risk assessment to identify internal and external security risks and assess the safeguards in place to control the risks, and implement additional safeguards reasonably necessary to control the risks; and
- Audit vendor compliance with the company’s information security program.
The settlement also requires Home Depot to engage a third party professional who is a certified information systems security professional or a certified information systems auditor to assess the company’s handling of personal information, and compliance with the company’s information security program, and to submit a report to the several attorneys general.
A class action brought on behalf of the affected consumers was settled in August 2016 with the establishment of a $13 million settlement fund, and the provision of 18 months of free identity monitoring services to members of the class.