The nation’s largest home improvement retailer, the Home Depot, has agreed to pay at least $19.5 million to settle a class action lawsuit seeking compensation for approximately 55 million U.S. consumer cardholders whose information was the subject of a 2014 data breach. Terms of a preliminary settlement agreement were described in papers filed in the United States District Court for the Northern District of Georgia in Atlanta on March 7, 2016. Home Depot has agreed to create a $13 million fund that will be used to reimburse cardholders for out-of-pocket losses attributable to the breach. There will also be a $6.5 million fund created to provide cardholder identity protection services to affected cardholders. Home Depot has also agreed to invest in improved data security measures over the next two years and to hire a Chief Information Security Officer to oversee implementation of the new protective measures.
In a press release issued after the breach was discovered, Home Depot explained that affected customers used payment cards on its self-checkout terminals in U.S. and Canadian stores between April and September 2014. The breaches occurred after hackers used a vendor's username and password to infiltrate Home Depot’s computer network and steal shoppers' payment card information using custom-built malware. The Home Depot breach shares similarities with earlier breaches against retailer Target and restaurant operator P.F. Chang's, leading some to conclude the same groups may be responsible.
On March 8, 2016, a lawsuit was filed in the United States District Court for the Central District of Florida against the University of Central Florida (UCF), alleging class based claims for negligence, breach of implied contract, conversion and bailment because UCF failed to safeguard the personal or financial information of persons affected by the breach. On February 4, 2016, UCF issued a notice that it had suffered an intrusion into its computer network. The lawsuit alleges that approximately 63,000 present and former students and employees of the university had their personally identifiable information compromised. For one group of affected student-athletes and staff members, the information involved first and last names, Social Security numbers, student ID numbers, sports team membership, whether the student-athletes were recruited or walk-ons, and number of credit hours taken and credits in progress. For a second group consisting of employees, the information involved first and last names, Social Security numbers and UCF-issued Employee Identification Numbers. UCF reported that no medical records, financial information or grades were involved for either affected group.
UCF has offered to provide affected persons with credit reporting services, including daily monitoring and alerts of suspicious activity on credit reports, identity theft insurance of up to $1 million, and fraud representative customer care, all for one year. The university also offered to provide, on an ongoing basis, Experian fraud resolution support, through which a fraud agent can provide assistance resolving issues that arise related to the credit reports of affected persons.
These two developments in the rapidly evolving world of cyber and data security provide reminders that all organizations must be ever vigilant. But, no matter how vigilant they remain, incidents resulting in the compromise of sensitive information may not be possible to prevent. Therefore, all organizations must continually plan to prevent them and be ready to respond quickly if and when an incident occurs. Most organizations simply cannot avoid collecting and maintaining personally identifiable information in order to carry out their missions. Data security and privacy concerns have become a critical part of every modern organization’s operational infrastructure. Just as office buildings and storefronts have locks on the doors and sophisticated security systems, effective cyber and data security measures must be installed. Computer hardware and software systems must not simply function, but they must also keep intruders out and sensitive information protected. In order to achieve these objectives and to protect your organization when a data breach incident does occur, cyber and data security must become a part of your organization’s strategic planning process, and security must become a part of your organization’s culture. Security cannot be relegated to the mundane category of “just another IT issue,” as though it were not foundational to the organization’s success. Organization-wide awareness and buy-in are necessary. Your Chief Information Security Officer, or the person who performs that role without the title, should have a seat at the table to be made aware of and have input on new initiatives.
Legal risks must be identified and understood. What are your organization’s compliance requirements? Are they being addressed effectively? Contract reviews with all business partners and vendors should be conducted with cyber and data security as a primary objective, not an afterthought. What is your formal breach response plan, and who will execute it? Managing cyber risk effectively requires selection and implementation of a robust cybersecurity framework. Have you undertaken a strategy of picking off the lowest hanging fruit by focusing on the fundamentals and reducing human error? Have you identified critical assets and do you have effective management tools in place for your most important data analysis and technology tools? Do you have in place a system of independent reviews? How frequently are they conducted? Have you considered your options for insurance and other economic protections relating to cyber and data security? What are you trying to protect against? What are the biggest risks and threats to your organization relating to cyber and data security?
It is important to have well-thought-out answers to these questions prepared before an incident occurs, like the one Home Depot is settling, or the incident that is consuming much of leadership’s time at the University of Central Florida.