[BreachExchange] A Closer Look At The Fallout From The Home Depot Data Breach

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 9 17:51:10 EDT 2016


http://www.jdsupra.com/legalnews/a-closer-look-at-the-fallout-from-the-43009/

More than a year and a half ago, Home Depot announced that it had been a
victim of one of the largest data breaches in U.S. history.  Media outlets
reported that the breach had affected Home Depot’s customers who had made
purchases using the company’s self-checkout terminals.  The hackers had
used a third-party vendor’s username and password to infiltrate Home
Depot’s network and install a malware that allowed the criminals to access
shoppers’ payment and contact information for a period of five months.
According to reports from the media and the company, the hackers gained
access to 56 million credit and debit cards and obtained 53 million email
addresses.

With the benefit of time, what have been the consequences for Home Depot?

Unsurprisingly, one of the major fallouts from the data breach has been
litigation—lots of it and from different plaintiffs.  There are currently
three tracks of lawsuits proceeding against Home Depot.  First, in November
2014, consumers began to file suit, and more than forty-four of them were
ultimately consolidated in the Northern District of Georgia.  The good news
for Home Depot is that its legal fight with consumers appears to be coming
to an end.  Last month, the Court approved a preliminary settlement in
which Home Depot agreed to create a $13 million settlement fund to
reimburse the class and agreed to spend up to $6.5 million to fund eighteen
months of cardholder identity protection services.  In addition, Home Depot
agreed to provide increased data security measures for a period of two
years.

Second, in May 2015, a group of banks and credit unions  filed a
consolidated class action complaint against Home Depot, asserting claims
for negligence.  The financial institutions alleged that Home Depot’s data
breach caused them to cancel and re-issue millions of credit and debit
cards, and they estimated that they paid $150 million in reissuance costs
alone.  Home Depot has moved to dismiss these claims on Article III
standing grounds.  Interestingly, Home Depot settled with the consumer
class before the court ruled on a similar motion in that case.  Time will
tell whether the court is given an opportunity to decide the motion in the
context of financial institutions.

Third, as we have previously reported, in August 2015, shareholders filed a
derivative suit against Home Depot and twelve of its officers and
directors.  The shareholders claim that Home Depot and the individual
defendants breached their fiduciary duties by failing to ensure that Home
Depot took reasonable steps to protect consumers’ personal and financial
information.  Several weeks ago, Home Depot filed a motion to dismiss in
that case, largely arguing that the shareholders’ claims fail because they
had not complied with pre-suit demand obligations. The motion has not yet
been fully briefed.

Besides the expense and distraction of litigation, Home Depot announced in
its recent 10-K that it had recorded $161 million of pretax expenses, net
of expected insurance and recoveries, in connection with the breach
itself.  While $161 million is a huge sum of money, it could be worse.
Last year, Forbes estimated that the Home Depot would incur $10 billion in
costs related to the breach by the end of the decade.

But the news isn’t all bad.  Numerous media outlets have reported that Home
Depot’s stock didn’t suffer in the wake of the data breach.  While some
commentators have attributed Home Depot’s stock’s performance to data
breach fatigue, it could be because the company reacted to the breach with
candor and transparency.  Home Depot was relatively upfront with consumers
about the breach.  Target was not as candid with consumers, and its stock
prices tumbled after its data breach even though Target’s breach affected
fewer customers than Home Depot’s.

So, what are the takeaways?

•  Data breaches have far-reaching consequences to the victim company.

•  The out-of-pocket costs to deal with a breach may be enormous—even if a
company has insurance (as Home Depot appeared to).

•  Litigation may follow from numerous parties including customers,
vendors, counterparties, and shareholders.

•  A victim company’s immediate response to a breach is critical. In the
case of Home Depot, a candid response may have bolstered the company’s
stock prices.

Given the far-reaching consequences that may flow from a breach, a company
should begin preparing for a breach before it is faced with a data security
emergency.  Issues that require serious consideration are:

•  Does your company have adequate cybersecurity insurance?

•  Has your company mapped the types and locations of sensitive information?

•  Has your company conducted a cybersecurity audit?

•  Does your company have an incident response plan?

•  Has your company tested its preparedness for a breach by conducting a
tabletop exercise?

•  Will your company be prepared to develop a crisis communications plan
following a breach, and will your company have the ability to assert the
attorney-client privilege over its communications with a public-relations
firm?

•  Is your company compliant with industry regulators’ cybersecurity rules?
Is your company abreast of regulators’ latest proposed rules?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160509/4fa623d7/attachment.html>


More information about the BreachExchange mailing list