On November 24, 2020, a multistate coalition of Attorneys General announced that The Home Depot, Inc. (“Home Depot”) agreed to pay $17.5 million and implement a series of data security practices in response to a data breach the company experienced in 2014. The $17.5 million payment will be divided among the 46 participating states and the District of Colombia. We previously reported on a settlement Home Depot reached in 2017 to resolve a putative class action brought by financial institutions impacted by the 2014 data breach.

The 2014 breach occurred when unauthorized parties gained access to Home Depot’s network and installed malware on the company’s self-checkout point-of-sale system, allowing the attackers to obtain payment card information from customers who used self-checkout registers in Home Depot stores between April 10, 2014 and September 13, 2014. Approximately 56 million payment card numbers were compromised, and the stolen information was used to conduct fraudulent transactions. Home Depot publicly disclosed the breach in September 2014.

In addition to the $17.5 million settlement, Home Depot agreed to implement various data security measures, including:

  • employing a qualified chief information security officer who will report to both senior or C-suite executives and the board of directors regarding Home Depot’s security posture and identified security risks;
  • ensuring the company allocates appropriate resources to implement and maintain its information security program;
  • providing appropriate security awareness and privacy training to all personnel who have access to the company’s network or who are otherwise responsible for processing U.S. consumers’ personal information;
  • employing specific information security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection and vendor management; and
  • undergoing an assessment that will evaluate, in part, Home Depot’s implementation of the information security program and controls described above.