As reported on our sister blog Consumer Privacy World, Home Depot recently reached a settlement in a lawsuit related to a September 2014 data breach that affected the payment card information of nearly 40 million customers.

In addition to a financial settlement, Home Depot agreed to implement and maintain various cybersecurity protocols, including:

  • Develop a comprehensive information security program that is reasonably designed to protect the security, integrity and confidentiality of the personal information Home Depot collects or obtains from customers;
  • Employ a qualified Chief Information Security Officer who will report to both the Senior or C-suite executives and Board of Directors regarding Home Depot’s security posture and security risks;
  • Provide resources necessary to fully implement the company’s information security program;
  • Provide security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;
  • Adopt security safeguards with respect to logging and monitoring, access controls, password management, two factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and
  • Obtain (consistent with other state data breach settlements) an information security assessment and report from a third-party professional to assess Home Depot’s handling of consumer personal information and compliance with its information security program.

Additional details on the settlement may be found here.