The latest settlement in Home Depot’s data breach litigation provides a data security framework for corporate governance that may be used by other companies as a template. Based on claims arising from a massive data breach in 2014 involving 56 million credit cards, Home Depot Inc. recently settled both a shareholder derivative action and a class action filed by financial institutions. Both settlements were filed and approved by the U.S. District Court for the Northern District of Georgia. As part of a third settlement of a direct consumer class action in 2016, Home Depot had already agreed to set up a $19.5 million fund to reimburse its affected consumers, and to hire a chief information security officer (CISO).
The recent settlement in In re: The Home Depot Inc. S’holder Derivative Litig., N.D. Ga., No. 15-cv-02999 provided nine corporate governance provisions that focus on corporate reform in data security, and were designed to improve Home Depot’s ability to prevent and respond to future attacks. Home Depot and its board of directors agreed to:
(i) document the duties and responsibilities of the newly-hired CISO;
(ii) periodically conduct tabletop cyber exercises to validate the Home Depot’s processes and procedures, test the readiness of its response capabilities, raise organizational awareness and train its personnel, and create remediation plans for issues and problem areas;
(iii) monitor and periodically assess key indicators of compromise on computer network endpoints;
(iv) maintain and periodically assess the Company’s partnership with a dark web mining service to search for confidential Home Depot information;
(v) maintain an executive-level committee focused on the Company’s data security;
(vi) receive periodic reports from management regarding the amount of the Company’s IT budget and what percentage of the IT budget is spent on cybersecurity measures;
(vii) maintain an incident response team and an incident response plan;
(viii) maintain membership in at least one information sharing program; and
(ix) retain their own IT, data and security experts and consultants as they deem necessary.
The Home Depot shareholder derivative settlement agreement offers a valuable example of cybersecurity-focused corporate governance practices to all companies, including consumer-facing retailers, for implementing data breach protections and conducting post-breach remedial actions. Additionally, companies should consider using tools such as Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA), designed to assess privacy and security frameworks, are also important in identifying risks and implementing necessary processes to meet regulatory and business expectations.