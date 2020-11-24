After a data breach exposed customers’ payment card information in 2014, The Home Depot agreed to a $17.5 million settlement with 46 states and the District of Columbia, including Maryland.
Maryland Attorney General Brian E. Frosh announced the agreement Tuesday, which comes with a series of data security and governance provisions to protect customers’ personal information, Frosh’s office said in a statement.
Hackers accessed The Home Depot’s network and deployed malware on the self-checkout system at stores across the country between April 10 and Sep. 13, 2014, affecting approximately 40 million people, according to the statement.
“Far too often, companies fail to protect consumers’ personal information from unlawful use or disclosure,” Frosh said in a prepared statement. “As a result, consumers suffer harm personally and financially. The data security measures required by this settlement will help protect the personal information of Marylanders and other consumers throughout the country.”
According to the Maryland attorney general’s office, The Home Depot, under the settlement, agreed to strengthen its security practices in a number of ways, including:
- Employing a duly qualified chief information security officer reporting to both executives and board of directors regarding The Home Depot’s security posture and security risks;
- Providing resources to implement the company’s information security program;
- Providing security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;
- Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection and vendor account management; and
- Consistent with previous state data breach settlements, the company will undergo a post-settlement information security assessment that will evaluate its implementation of the agreed upon information security program.
