Home Depot reaches USD 17.5 mln settlement of 2014 breach lawsuit

The settlement, which involves 46 states and Washington, D.C., stems from the breach that happened between April 10 and Sept. 13, 2014, when fraudsters planted credit card skimming malware in Home Depot's network to steal customer payment data. In addition to the financial component of the settlement, the company agreed to implement specific cybersecurity measures to safeguard the personal information of its customers.

Home Depot has created a USD 13 million fund to allow for payments to customers who have documented losses attributed to the breach. Customers will also have the option to receive 18 months of free credit monitoring.

As part of the settlement, The Home Depot must:

• employ a CISO reporting to both senior executives and the board of directors;
• provide the resources necessary to fully implement the company's information security program;
• provide appropriate security awareness and privacy training to all personnel who have access to the company's network or responsibility for US consumers' personal information;
• implement security safeguards, including logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection and vendor account management.

The Home Depot will also undergo a post-settlement review to ensure the agreed-upon details are being implemented.