45 states participated in the investigation in several states
Florida Attorney General Ashley Moody’s consumer protection division today signed a $ 17.5 million agreement with Georgia-based retailer The Home Depot, Inc.
TALLAHASSEE, FLORIDA – The consumer protection division of Ashley Moody, Florida attorney general, today signed a $ 17.5 million agreement with Georgia-based retailer The Home Depot, Inc.
A multi-stage investigation found that a 2014 data breach exposed the payment card information of around 40 million Home Depot consumers nationwide.
Home Depot must pay $ 923,292 to the state of Florida.
Attorneys-general in 45 other states and the District of Columbia were involved in the investigation in several states.
“Consumers trust companies to have the privacy and security of their personal and financial information when shopping,” said Moody.
“It is the responsibility of companies to maintain this trust. To do this, Home Depot is required to apply stricter privacy practices, which are necessary to strengthen key security protocols protecting consumers’ financial information. “
The violation occurred when hackers gained access to Home Depot’s network and deployed malware at the company’s self-checkout points of sale.
From April 10, 2014 to September 13, 2014, the malware allowed the hackers to retrieve the payment card information of customers who used self-checkout lanes in Home Depot stores in the United States.
In addition to the total payment of $ 17.5 million to the states, Home Depot is committed to implementing and maintaining a number of data security practices to strengthen the information security program and protect consumers’ personal information.
Specific information security provisions in the agreement include:
• • Hiring a duly qualified Chief Information Security Officer to report to both C-level executives and the Board of Directors on the security posture and security risks of Home Depot;
• • Provide the resources necessary to fully implement the company’s information security program;
• • Administering adequate security awareness and privacy training to all employees who have access to the corporate network or who are responsible for US consumer personal information;
• • Implementing specific security measures related to access controls, encryption, file integrity monitoring, firewalls, intruder detection, logging and monitoring, password management, penetration testing, risk assessments, two-factor authentication and provider account management; and
• • Carrying out a post-agreement information security assessment that partially assesses the implementation of the agreed information security program.