Home Depot settles multi-state lawsuit stemming from 2014 breach
A number of states have issued press releases about how their state was part of a newly announced settlement stemming from a Home Depot breach in 2014. That breach has been covered quite a bit on this site already, as it resulted in a lot of litigation involving card issuers, credit unions, banks, and of course, consumers.
Since I’m in New York, I’ll use the NY Attorney General’s press release to give you the bullet points:
New York Attorney General Letitia James announced on Monday an agreement with the Home Depot, Inc., that will require the company to pay 46 states and the District of Columbia $17.5 million. The agreement resolves and investigation stemming from a data breach in 2014 that compromised payment card information of roughly 40 million customers.
According to AG James, the cyberattack occurred when hackers gained access to The Home Depot’s network and used malware to gain information from the self-checkout point-of-sale system. These incidents occurred nationwide between April 10, 2014 and September 13, 2014.
New York State is set to received $597,459.80.
“New Yorkers have every reasonable expectation that their personal financial information will remain private and protected,” said Attorney General James. “Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk. My office is committed to protecting consumers, which is why we will continue to use every instrument in our toolbox to hold accountable companies that fail to safeguard personal information.”
James stated that as part of the November 24, multistate agreement, The Home Depot will make a series of provisions to security protocols. This provisions include the following.
- Employ chief information security officer
- Providing necessary resources to implement the company’s information security program
- Provide appropriate security awareness and privacy training to all personnel who have access to company networks
- Employ security safeguards with respect to logging and monitoring
- Undergo a post settlement information security assessment
Joining Attorney General James in filing today’s multistate agreement are the attorneys general of Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and the District of Columbia.