November 25, 2020 – SACRAMENTO – California Attorney General Xavier Becerra on Tuesday announced a multi-state settlement with The Home Depot, Inc. (Home Depot) worth $ 17.5 million in a 2014 data breach. California will receive more than $ 1.8 million from the settlement, including cease and desist requirements requiring Home Depot to tighten its information security program to prevent future violations.
“Families should always be assured that their personal information is safe when shopping. Any company like Home Depot that collects sensitive personal information needs to get their house in order and provide adequate data security. ” said Attorney General Becerra. “As today’s agreement shows, companies that fail to secure data adequately have grave consequences.”
In 2014 Home Depot reported a payment card system violation. Attackers used stolen credentials to access Home Depot’s network and then installed malware on POS devices in Home Depot stores. The breach resulted in a compromise in the payment card information of approximately 40 million customers.
The multi-step investigation found that Home Depot did not implement basic security procedures that addressed known technological vulnerabilities and did not properly monitor suspicious activity on systems storing personal information. The company was also unaware of the evolution of security standards.
The omission provisions require Home Depot to adhere to robust data security enhancements to prevent future breaches, including implementing a comprehensive information security program to protect the integrity and confidentiality of consumers’ personal information. The settlement also provides that Home Depot will provide security awareness and privacy training to all employees responsible for consumer personal information or the corporate network. Home Depot will also tighten policies and procedures for a number of security features, including security technologies for payment cards.
Today’s agreement underscores Attorney General Becerra’s commitment to holding companies accountable for protecting customer information. Late last month, Attorney General Becerra reached a $ 8.69 million settlement against Anthem, Inc., resolving similar allegations that the health insurance company violated consumer and privacy laws due to a 2014 privacy breach. In July 2019, Attorney General Becerra announced a $ 600 million settlement with Equifax that resolved allegations that the credit bureau had disclosed the personal information of 147 million consumers. And in May 2017, Attorney General Becerra secured a record $ 18.5 million in multiple states with Target in response to claims that the company’s security breaches during the 2013 holiday season resulted in credit card information disclosure of over 40 million customers .
In securing the settlement, Attorney General Becerra joins attorneys general of Connecticut, Illinois, Texas, Alaska, Arizona, Arkansas, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland , Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin and the District of Columbia.
You can find a copy of the complaint here. A copy of the proposed judgment can be found here.
Source: CA. DOJ