Three years after their historic data breach, Home Depot has taken the first of its final steps towards having fully mitigated the damage that followed. While they are only one of numerous companies who have been hacked in recent years, Home Depot is proving to be a pioneer in the realm of how companies will handle data breaches moving forward.
The settlement is striking in a number of ways, not the least because it passed in court with each party's consent - a feat that shifts the pattern of suits filed against companies that had been breached in the past (which, for the most part, were dismissed). In an age where information security threats are increasingly widespread, and the number of major data breaches is escalating, the breach and subsequent events incurred by Home Depot are becoming something of a model for the unfortunate companies who will inevitably be hacked in the future. And, as per the blueprint outlined in the recently published court documents that require the Home Depot "monitor the dark web" on an ongoing basis, company's may be required to provide such a "dark web" - also known as "darknet" - monitoring service as part of their standard, comprehensive cybersecurity measures.
The breach and the aftermath
On September 8, 2014, the Home Depot released a public statement disclosing that their payment card systems had been compromised. In what amounted to one of the largest data breaches in U.S. history, attackers gained access to 56 million customer credit card numbers.
As many as 44 consumer civil actions were subsequently filed against Home Depot. There have also been several federal and state investigations.
In 2016, Home Depot agreed to pay up to $19.5 million to settle consumer class action claims arising from the 2014 theft of credit and debit card records for approximately 50 million customers.
After several further derivative suits being filed and ultimately dismissed, court documents reveal that Home Depot reached an agreement with its plaintiffs on April 28th, 2017, just less than two weeks ago. The unopposed motion for preliminary approval of a settlement of the derivative lawsuit - one which is typically brought by a shareholder on behalf of the company against the directors or board - was atypical in that these types of cases are usually dismissed. In this case however, an agreement was reached.
As part of the settlement, Home Depot agreed to adopt certain cybersecurity reforms and pay up to $1.125 million of the plaintiffs attorney fees. The court document (which can be found in its entirety on Bloomberg Law), delineates several stipulations as part of the roadmap for all cybersecurity measures relating to the Home Depot.
The agreed upon measures require Home Depot to, among other things, clearly define and budget for the role of a Chief Information Security Officer, routinely evaluate and improve upon incident response plans, including routinely conducting tests of such plans, and periodically assess key indicators of compromise on computer network endpoints. In addition, the agreement requires Home Depot to monitor the darknet for the presence of leaked data.
Also worth noting is the sixth stipulation, which reads "[t]he Board shall receive periodic reports from management regarding the amount of the Company's IT budget and what percentage of the IT budget is spent on cybersecurity measures." For their part, Home Depot has significantly increased their information security budget since the breach occurred. Now, however, they are legally beholden to maintain this budget structure and continue to allocate funds to cybersecurity related resources.
While the settlement appears to be amenable to both parties, and thus somewhat of a "win-win," Home Depot has and will continue to bear the financial consequences of the 2014 breach.
According to Fortune, "In addition to this week's $25 million settlement, Home Depot has also paid at least $134.5 million in compensation to consortiums made up of Visa, MasterCard, and various banks. For Home Depot, the cost of the breach is at least $179 million based on the figures in the court documents. The final total, though, is likely to be much higher because of legal fees and any other undisclosed payouts."
What this means for the future
According to legal reporters, the success of the lawsuits brought against Home Depot demonstrate that while past lawsuits of this type have traditionally been unsuccessful, this type of litigation continues to be pursued against companies victimized by a data breach.
As they put it, "the plaintiffs bar is very creative and very entrepreneurial, and they have significant incentives to try and find a way to capitalize on the chronic cybersecurity risks and exposures that companies face. The plaintiffs lawyers will continue to experiment, and for that reason alone we are going to see further cybersecurity-related [derivative] lawsuits."
Presuming that this trend will continue, it will continue to become increasingly urgent for companies to develop and maintain a robust cybersecurity program that can stand up not only to potential threat actors, but also their potential future plaintiffs should a breach occur.
While ideally such cybersecurity defenses should be preemptive, thereby ostensibly preventing a data breach from occurring, it is likely that the blueprint provided in the case of Home Depot will be most applicable to how the next companies to experience a data breach respond and proceed after the incident. It is likely that, as per the Home Depot model and legal precedence, future breach victims will be required to monitor the darknet.