An Ounce of Prevention – Reducing Data Breach Costs

​On August 29th, Justice Paul Perell of the Ontario Superior Court approved a settlement in the class action lawsuit against Home Depot arising from a data breach it suffered in 2014. Justice Perell said that “(t)he case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behaviour modification.”
 
Essentially, the court declared that Home Depot did not do anything wrong and could not have prevented the data breach. Even so, this breach cost Home Depot Canada about $520,000 in legal fees and settlement costs as Home Depot spent millions of dollars in Canada on providing its customers with credit card monitoring services. Settling a class action is now one more spend in remediating a data breach in Canada.
 
Home Depot responded well (it contained the breach quickly, identified the stolen information, notified affected people as soon as possible, and offered to pay for credit monitoring services).  This indicates it was able to identify what information was affected by the breach.  
 
We believe the specific data breach that Home Depot suffered could have been mitigated if it had been more proactive with a comprehensive Information Governance strategy.
 
The breach involved hackers gaining access to credit card terminals through a third party vendor that contracted with Home Depot. When a consumer swiped their credit card at the terminal, the card information was transmitted, unencrypted, to a central Home Depot computer for processing. Over the course of five months, the hackers intercepted the information along the way, capturing the consumer’s credit card account information, email address, and purchase data. Following the breach, Home Depot replaced the terminals with those that transmitted the information in encrypted form, so that even if it was intercepted, it could not be deciphered.
 
In 2013, Home Depot suffered two small data breaches. At that time, it was advised by security experts to activate the encryption function of their credit card terminals. However, it decided not to do this in order to save money.
 
Home Depot could have also implemented or enforced more stringent IG practices, including policies on data transmission (that would have required encryption), data retention (that may have prevented some email addresses from being stolen) and ongoing compliance monitoring (which may have allowed them to discover the breach much more quickly).
 
Even though Home Depot responded well to the breach, it still incurred costs in the millions of dollars. Implementing and enforcing Information Governance ahead of time would have likely mitigated costs, and been a better use for the money.