Settlement in Home Depot Class Action Provides Data Security Corporate Governance Framework for Companies

Nossaman LLP

The latest settlement in Home Depot’s data breach litigation provides a data security framework for corporate governance that may be used by other companies as a template.  Based on claims arising from a massive data breach in 2014 involving 56 million credit cards, Home Depot Inc. recently settled both a shareholder derivative action and a class action filed by financial institutions.  Both settlements were filed and approved by the U.S. District Court for the Northern District of Georgia.  As part of a third settlement of a direct consumer class action in 2016, Home Depot had already agreed to set up a $19.5 million fund to reimburse its affected consumers, and to hire a chief information security officer (CISO).

The recent settlement in In re: The Home Depot Inc. S’holder Derivative Litig., N.D. Ga., No. 15-cv-02999 provided nine corporate governance provisions that focus on corporate reform in data security, and were designed to improve Home Depot’s ability to prevent and respond to future attacks.  Home Depot and its board of directors agreed to:

(i) document the duties and responsibilities of the newly-hired CISO;

(ii) periodically conduct tabletop cyber exercises to validate the Home Depot’s processes and procedures, test the readiness of its response capabilities, raise organizational awareness and train its personnel, and create remediation plans for issues and problem areas;

(iii) monitor and periodically assess key indicators of compromise on computer network endpoints;

(iv) maintain and periodically assess the Company’s partnership with a dark web mining service to search for confidential Home Depot information;

(v) maintain an executive-level committee focused on the Company’s data security;

(vi) receive periodic reports from management regarding the amount of the Company’s IT budget and what percentage of the IT budget is spent on cybersecurity measures;

(vii) maintain an incident response team and an incident response plan;

(viii) maintain membership in at least one information sharing program; and

(ix) retain their own IT, data and security experts and consultants as they deem necessary.

The Home Depot shareholder derivative settlement agreement offers a valuable example of cybersecurity-focused corporate governance practices to all companies, including consumer-facing retailers, for implementing data breach protections and conducting post-breach remedial actions.  Additionally, companies should consider using tools such as Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA), designed to assess privacy and security frameworks, are also important in identifying risks and implementing necessary processes to meet regulatory and business expectations.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nossaman LLP | Attorney Advertising

Written by:

Nossaman LLP

Nossaman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.