Home Depot Hack Builds Case for Cyber Security

As the holiday season nears its peak shopping period, businesses with point-of-sale systems should be on red alert to prevent data breaches. The highly publicized attacks on Home Depot stores, where millions of credit card numbers and PINs were stolen over a period of six months, still reverberate throughout the retail sector.

If a data breach can happen to huge corporations like Home Depot, it’s almost certain it can happen to any enterprise or organization. But a recent court case around the Home Depot breach in Ontario shows how taking responsibility and swift action can make a difference.

When the attack was discovered in September 2014, the corporation acknowledged its systems were “desperately out of date.” It added a remediation plan had been in the works, but the directors had been too slow to implement it.

Class Action Suit

Two years later, in November 2016, the Ontario Superior Court of Justice approved a settlement agreement in a civil class action against Home Depot, reducing the amount settled on to $400,000 from more than $1 million. The unique approval was due to two primary issues. The judge determined there was no evidence the plaintiffs had suffered fraudulent charges or risked identity theft because of the breach, therefore there were no damages.

The second decisive factor was Home Depot’s response after the data breach, thought to be as a result of a third-party failure. The corporation issued a public response as soon as the attack became evident, contacting customers through emails and offering free credit monitoring and identity theft insurance. Canadian Justice Perell remarked the corporation’s response was “responsible, prompt, generous and exemplary.”

Lessons Learned

Prevention is better than a cure but having a plan in place to deal with a cyber incursion can mitigate the impact. This is of particular importance as amendments to Canada’s Digital Privacy Act are set to be enacted in 2017, along with hefty fines for non-compliance. Here are four key take-aways from the Home Depot case:

• Your company or organization’s cyber security system will be breached. It’s a matter of when, rather than if.
• Assess your cyber security systems appropriately, for both internal and third-party risks, such as suppliers, contractors and clients.
• Proper controls, policies and procedures in place enable quick response, reduce losses and can protect your organization’s reputation.
• Never doubt the return on investment for an up-to-date, comprehensive cyber security program.

The Home Depot case was in direct contrast to Yahoo, which in mid-December 2016 acknowledged a billion user accounts had been hacked as far back as 2013 and that earlier hacks happened in 2012. The disclosure impacted the $4.8-billion sale of Yahoo’s core business to Verizon Communications, which said it might seek to renegotiate the terms since the scale of the hacking hadn’t been disclosed before the deal was struck.

Big corporations have deep pockets to rebound from data loss and law suits. Does your business?