45 states assisted in the multistate investigation
TALLAHASSEE, FLORIDA — Florida Attorney General Ashley Moody’s Consumer Protection Division today secured a $17.5 million agreement with Georgia-based retailer The Home Depot, Inc.
A multistate investigation revealed that a 2014 data breach exposed the payment card information of approximately 40 million Home Depot consumers nationwide.
Home Depot must pay the state of Florida $923,292.
Attorneys general in 45 other states and the District of Columbia assisted in the multistate investigation.
“Consumers trust companies with the privacy and protection of their personal and financial information when making purchases,” said Moody.
“It is the responsibility of companies to uphold that trust. This action requires Home Depot to enact more stringent data protection practices necessary to strengthen vital security protocols to safeguard consumers’ financial information.”
The breach occurred when hackers gained access to Home Depot’s network and deployed malware on the company’s self-checkout points of sale.
The malware allowed the hackers to obtain the payment card information of customers that used self-checkout lanes at Home Depot stores throughout the U.S. from April 10, 2014 to Sept. 13, 2014.
In addition to the $17.5 million total payment to the states, Home Depot agrees to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.
Specific information security provisions in the agreement include:
• Employing a duly qualified Chief Information Security Officer, reporting to both the C-level executives and Board of Directors regarding Home Depot’s security posture and security risks;
• Providing resources necessary to fully implement the company’s information security program;
• Administering appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;
• Implementing specific security safeguards with respect to access controls, encryption, file integrity monitoring, firewalls, intrusion detection, logging and monitoring, password management, penetration testing, risk assessments, two-factor authentication and vendor account management; and
• Undergoing a post-agreement information security assessment that in part will evaluate its implementation of the agreed-upon information security program.