Home Depot offered to pay $19 Million to settle a class action lawsuit brought after a 2014 data breach at the retailer exposed 56 million credit card records about a year ago. This offer not only demonstrates how costly a data breach can be, but also draws attention to the liability smaller companies can have.
Right now you may be thinking: “My company is not as large as Home Depot. We don’t have 56 million records.” Don’t let that lull you into a false sense of security. This breach actually occurred because the access credentials for a third party vendor to Home Depot were stolen, giving the hackers access to the systems at Home Depot. That opens up the door for litigation against the vendor for recovery of costs. Could your company afford that risk?
As a vendor to any larger company, your data security policies and practices need to protect your client as well as the end customer. Recent legislation has made smaller businesses, like vendors, responsible for the security of customer data as your client is, unless you can demonstrate that your data security practices were as good as they needed to be – and demonstrating that means litigation, and legal costs.
In this case, the breach was caused by the number one cause of data breaches: an employee. And, while the amount of the Home Depot offer seems astronomically high, the fund for recovery costs in Home Depot’s offer provides only about 23 cents per record affected. Given that the average cost per record to recover is more than $158, this is an insignificant drop in the bucket of potential loss. And, by signing off on the settlement class members will undoubtedly give up the right to sue Home Depot for additional costs not covered by that fund, which leaves the vendor that caused this breach exposed and potentially liable for the balance of the recovery costs, which could be as much as $8.5 Billion dollars – or more.
The Home Depot offer specifically stated that the company is not admitting to any liability, and that they were just interested in putting expensive litigation behind them. The settlement offer also includes a pledge by the retailer to improve data security. But it doesn’t address recovery costs the Home Depot offer does not cover; and it leaves the door open for the vendor to be sued for their role in the breach.
Many companies pay very close attention to electronic access to their systems. Some prevent employees from browsing certain high-risk sites, or sites where hackers may be lurking to try to gain access. But are you really sure you’re secure? As Bring Your Own Device (BYOD) practices become more common – or storage devices for remote workers and others become smaller and easier to conceal –your company risk for a physical breach is increasing. Are you sure you’re prepared?
Want to read about the settlement? Here’s the link, in case you missed it: https://www.cnet.com/news/home-depot-offers-19m-to-settle-customers-hacking-lawsuit/