Settlement Agreement

TRENTON – Attorney General Gurbir S. Grewal announced today that New Jersey will receive $579,623 as part of a settlement with Home Depot that resolves allegations the retailer had inadequate security measures in place when data thieves infiltrated its information systems in 2014, compromising the personal information of millions of consumers across the United States.

Altogether, Home Depot will pay $17.5 million to 45 states and the District of Columbia, to resolve a multi-state investigation launched in the wake of a breach of the company’s point-of-sale information systems – specifically those involving its self-checkout kiosks.  New Jersey served on the Executive Committee for the investigation.

In addition to its monetary terms, today’s settlement requires Home Depot to implement extensive reforms designed to prevent future breaches by strengthening its data security systems and encryption protocols.

“We’re committed to ensuring that companies adopt the cybersecurity measures necessary to protect their consumers’ sensitive information and to prevent identity theft,” said Attorney General Grewal. “Multi-state settlements like the one announced today incentivize companies to adopt best practices. And with our creation of the Data Privacy and Cybersecurity Section in the Division of Law, New Jersey is increasingly playing a significant role in multi-state investigations to protect the privacy of consumers across the country.”

“As self-checkout options proliferate and shoppers increasingly elect to pay using their phones or credit cards, retailers have a greater responsibility than ever to safeguard not only their online data systems, but their point-of-sale systems as well,” said Division of Consumer Affairs Acting Director Paul R. Rodríguez. “If retailers are going to receive consumers’ personal information and retain it in a database, they have a duty to be vigilant about securing their data. The terms of this settlement are designed to ensure that happens going forward.”

As a result of the data breach at Home Depot, intruders obtained the names, payment card numbers, expiration dates and security codes of more than 40 million individuals between April 10, 2014 and September 13, 2014. In addition, the attack resulted in the compromise of 53 million consumer email addresses and passwords. Home Depot did not discover the breach until months later.

The multi-state investigation looked at how intruders bypassed Home Depot’s cyber protection measures and placed malware enabling the theft of consumer information that consumers entered at store self-checkout kiosks. The settlement includes a host of injunctive terms designed to shore up cyber security at Home Depot, including requirements that the company:

• Create an Information Security Program headed by an executive or officer whose chief role will be to implement the program and advise Home Depot’s CEO and Board of Directors on security issues;

• Provide security awareness and privacy training for all Home Depot personnel whose jobs involve access to, and responsibility for, the company network or consumers’ personal data;

• Maintain encryption protocols designed to encrypt personal information stored on laptops or other portable devices, or when transmitted across public networks wirelessly;

• Seek to devalue payment card information through such methods as encrypting  that information throughout the course of a retail transaction at a Home Depot store;

• Take steps to scan and map the connections between its cardholder data environment and the rest of Home Depot’s company network to determine avenues of traffic and identify potential vulnerabilities;

• Implement password policies that use controls designed to manage access to, and use of, Home Depot’s individual accounts, service accounts and vendor accounts. The policies must require strong and complex passwords and password rotation, and prohibit the use of default, group, shared, or generic passwords;

• Adopt a two-factor authentication approach both for the company’s system administrator accounts and for remote access to the company network; and

• Employ firewall policies and use software and hardware tools that restrict connections between Home Depot’s internal networks and its cardholder data environment.

Deputy Attorney General Kashif T. Chand, Chief of the Data Privacy & Cybersecurity Section in the Division of Law’s Affirmative Civil Enforcement Practice Group and Deputy Attorney General Jesse J. Sierant, Assistant Section Chief of the Consumer Fraud Prosecution Section in the Division of Law’s Affirmative Civil Enforcement Practice Group, handled the Home Depot matter on behalf of the State.

###