Privacy & Information Security Law Blog

On March 9, 2017,  Home Depot Inc. (“Home Depot”) reached an agreement that includes the payment of $25 million and the implementation of new data security measures to resolve a putative class action brought by financial institutions impacted by the company’s 2014 data breach.

The 2014 data breach involved the theft of Home Depot customers’ personal information, including names, payment card numbers, expiration dates and security codes. Approximately 56 million payment card numbers were compromised. This information was sold to identity thieves, who used it to make fraudulent transactions. As a result, financial institutions were required to take steps such as cancelling the compromised cards and reimbursing customers for fraudulent charges.

As part of the settlement, Home Depot will pay $25 million into a fund that will be distributed to financial institutions that have not released all of their claims, and pay up to $2.25 million to certain financial institutions whose claims were released by a sponsor in connection with MasterCard’s Account Data Compromise program. Home Depot also will be required to, for at least two years, implement additional data security measures. Specifically, Home Depot must:

• implement an appropriate, industry-recognized security control framework;
• develop a program to ensure that its vendors with access to payment card information treat the information securely; and
• apply safeguards to address risks identified by its risk assessments, and track and manage such assessments through a process involving Home Depot leadership.

In addition to these settlement terms, in March 2016 Home Depot agreed to settle consumers’ claims by paying $13 million, funding identity protection services and undertaking certain data security measures.