Log in
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Dynamic quotes 

MarketScreener Homepage  >  Equities  >  Nyse  >  The Home Depot, Inc.    HD


SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector newsMarketScreener Strategies

Data Breaches Can Cost $$ – Plus Ongoing Obligations (ask Home Depot): Lessons And Takeaways

12/04/2020 | 05:09am EST

The Home Depot, Inc. ("Home Depot") recently entered into a multi-state Assurance of Voluntary Compliance with Attorneys General of 46 states and the District of Columbia (the "Settlement") stemming from a massive 2014 data breach that exposed the payment card information of approximately 40 million Home Depot customers. In addition to the steep penalty, Home Depot is required to undergo an extensive security overhaul.

According to prior press releases from Home Depot and wide reporting on the incident, the data breach occurred when attackers gained access to Home Depot's network and planted malware that allowed the attackers access to payment card information of Home Depot customers who used self-checkout lanes at Home Depot stores between April and September 2014.

The Settlement includes not only $17.5 million in monetary payments to the states, but also requires that Home Depot implement a series of information security measures and undertake a number of oversight and reporting obligations. Note that the Settlement is in addition to the estimated more than $180 million in reported payouts that Home Depot has already forked over in litigation with customers, card issuers, and banks as a result of the breach.

"Retailers must take meaningful steps to protect consumers' credit and debit card information from theft when they shop," said Massachusetts Attorney General Maura Healey in a press release announcing the Settlement, "This settlement ensures Home Depot complies with our state's strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure." Similarly, Virginia Attorney General Mark Herring noted, "Businesses that collect or maintain sensitive personal information have a heightened duty to keep that information secure. These companies must make it a top priority to implement and adhere to reasonable practices and procedures that will protect consumers' information from bad actors."

The terms of the Settlement make clear that Home Depot cannot pay its way out of this and go back to business as usual - instead, there are concrete requirements such as CEO and Board of Director reporting on security matters. This suggests that the Attorneys General were certain to ensure that top management could never claim ignorance about the security of their organization. The Settlement also requires other tasks that cannot simply be tucked away in a drawer and forgotten about, such as documentation of safeguards that Home Depot implements in response to annual risk assessments and penetration testing. The Settlement also requires that Home Depot operationalize extensive and specific vendor management requirements.

Settlement Security Obligations

Information Security Program

The Settlement requires Home Depot to implement a comprehensive information security program within 180 days that contains administrative, technical and physical safeguards appropriate to: (i) the size and complexity of Home Depot's operations; (ii) the nature and scope of Home Depot's activities; and (iii) the sensitivity of the personal information that Home Depot maintains.


Home Depot is also required to appoint a Chief Information Security Officer responsible for oversight of Home Depot's implementation and maintenance of the information security program prescribed by the Settlement. The Chief Information Security Officer will have a direct line to top management, as the position is specifically required to advise the Chief Executive Officer and Board of Directors on Home Depot's security posture, security risks, and security implications of Home Depot's decisions.


Finally, the Settlement requires that Home Depot provide annual security and privacy training to all personnel whose job involves access to the company's network or responsibility for customer personal information.

Required Specific Security Safeguards

Per the Settlement, Home Depot is required to include a laundry list of specific security safeguards in its information security program:

  • Security Incidents: reasonably designed and implemented for appropriate handling and investigation of security incidents
  • Network Software Support: maintain and support network software, taking into consideration the data security impact of updates
  • Encryption: protocols and policies designed to encrypt personal information and sensitive information stored on laptops or other portable devices or when transmitted across public networks or wirelessly
  • PCI-DSS Compliance
  • Segmentation: policies and procedures to segment network and permit systems to communicate as necessary to perform their business and/or operational functions
  • Logging and Monitoring: controls to manage access of any device attempting to connect to Home Depot's Cardholder Data Environment (technologies that store, process, or transmit payment card authentication data), through tools such as firewalls, authentication credentials, or other such access-restricting mechanism
  • SIEM: security information and event management tool to collect logs and monitor network activity
  • Access Control and Account Audits: policies, procedures, and controls to manage and audit the use of Home Depot's individual accounts, systems administrator accounts, service accounts, and vendor accounts, properly configured with unique user names and passwords, which shall be monitored for anomalous behavior indicative of a security event
  • Password Management: password policies and procedures requiring risk-based controls to manage access to and use of Home Depot's user accounts
  • Two-Factor Authentication: required for Home Depot's systems administrator accounts and for remote access into Home Depot's network
  • File Integrity Monitoring: controls to prevent and detect unauthorized modifications to critical applications or operating system files within the Cardholder Data Environment
  • Firewalls: firewall policies and procedures to restrict connections between internal networks to the Cardholder Data Environment
  • Payment Card Security: steps designed to manage the review and adoption of industry-accepted payment card security technologies
  • Devalue Payment Card Information: take steps such as implementing encryption through the course of a retail transaction at an Home Depot store
  • Risk Assessment Program: <ul
  • Identification of internal and external risks to personal information
  • Assessment of safeguards in place to control these risks
  • Evaluation and adjustment of the information security program in response
  • Implementation of reasonable safeguards to control these risks; and
  • Documentation of safeguards implemented in response to such annual risk assessments
  • Penetration Testing: Annual penetration testing of internal and external network defenses, including documented remediation of identified vulnerabilities
  • Intrusion Detection Solution
  • Vendor Account Management: risk-based policies and procedures for auditing vendor compliance with Home Depot's information security program, to include: <ul
  • Contractual requirements
  • Periodic evaluations of vendor's cybersecurity practices and compliance
  • Onsite security reviews of critical vendors' security practices
  • Granting vendors the minimum access necessary to perform their duties and responsibilities; and
  • Monitoring of IP addresses and login times typically associated with vendors
  • Third-Party Assessments

    Home Depot is also required to obtain a third-party information security assessment and report to assess Home Depot's handling of personal information and its compliance with the information security program prescribed by the Settlement. A copy of the report must be delivered to the Attorney General of each state included in the Settlement upon request.

    Takeaways for Businesses

    It is sometimes difficult to find concrete examples from governmental authorities of required or recommended security measures, often leaving businesses unsure of exactly which measures they should implement. This Settlement, on the other hand, provides an invaluable list of security requirements that businesses would be well-advised to consider making part of their information security program.

    The Settlement also provides an important basic foundational framework for vendor security management that businesses may wish to consider as they onboard and manage their vendors that will have access to personal information and other sensitive data.

    Finally, the Settlement serves as a reminder that failing to protect sensitive information can cost you millions, allow government regulators to force prescribed security requirements on your business, and put your company under a compliance microscope.

    The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

    Ms Cynthia Larose
    1 Financial Center
    MA 02111
    Tel: 6175426000
    Fax: 6175422241
    E-mail: www.mintz.com
    URL: www.mintz.com

    © Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source Business Briefing

    All news about THE HOME DEPOT, INC.
    01/26HOME DEPOT : Retool Your School Program to Grant $1 Million to 30 HBCUs
    01/25COVID-19 UPDATE : How Home Depot is Responding
    01/25Fertitta-backed blank check firm to take Hillman public in $2.64 bln deal
    01/18HOME DEPOT : Honoring Dr. King and His Legacy with $150,000 Donation to Atlanta'..
    01/18Shareholder Proposal at Omnicom Questions Ad Buyers' Role in Online Hate
    01/13THE HOMER FUND : Taking Care of Our People Through Tough Times
    01/13HOME DEPOT : Guggenheim Upgrades Home Depot to Buy From Neutral; Price Target is..
    01/07HOME DEPOT, INC. : Other Events, Financial Statements and Exhibits (form 8-K)
    01/05HOME DEPOT : Benefits of Recycling Live Christmas Trees
    More news
    Financials (USD)
    Sales 2021 130 B - -
    Net income 2021 12 753 M - -
    Net Debt 2021 27 357 M - -
    P/E ratio 2021 23,9x
    Yield 2021 2,13%
    Capitalization 304 B 304 B -
    EV / Sales 2021 2,55x
    EV / Sales 2022 2,55x
    Nbr of Employees 415 700
    Free-Float 60,1%
    Duration : Period :
    The Home Depot, Inc. Technical Analysis Chart | MarketScreener
    Full-screen chart
    Technical analysis trends THE HOME DEPOT, INC.
    Short TermMid-TermLong Term
    Income Statement Evolution
    Mean consensus OUTPERFORM
    Number of Analysts 33
    Average target price 307,07 $
    Last Close Price 282,60 $
    Spread / Highest target 25,6%
    Spread / Average Target 8,66%
    Spread / Lowest Target -25,7%
    EPS Revisions
    Managers and Directors
    Craig A. Menear Chairman & Chief Executive Officer
    Edward P. Decker President & Chief Operating Officer
    Richard V. McPhail Chief Financial Officer & Executive Vice President
    Matthew A. Carey Chief Information Officer & Executive VP
    Paul Antony Senior Vice President-Technology
    Sector and Competitors
    1st jan.Capitalization (M$)
    THE HOME DEPOT, INC.6.39%304 247
    LOWE'S COMPANIES, INC.8.22%127 274
    KINGFISHER PLC1.18%7 902
    BHG GROUP AB-6.04%2 201