The Attorneys General of 46 states reached a $17.5 million-dollar settlement with The Home Depot, which was announced on November 24, 2020. Texas Attorney General Ken Paxton announced that this settlement was led by the Connecticut, Illinois, and Texas AGs and Texas will collect $1,777,440.00.
I will have more to say about this settlement in the coming days — especially about the requirements for a CISO and written Information Security Program — but, here are the first two thoughts that immediately come to mind:
First, $17.5 million-dollars does not feel like a lot of money vis-a-vis the overall impact this data breach has had on the data breach landscape and the attention it has garnered. However, as we all know, feelings can be deceiving: Home Depot has already reached a $42.5 million-dollar settlement with consumers ($27.25 million) and financial institutions ($14.5 million), plus an additional $15,263,300 in legal fees, expenses, and interest. This puts the total amount at least $57,763,300 prior to the AG settlement and now $75,263,300 with the AG settlement. This amount does not include The Home Depot’s own legal fees and expenses for all of these proceedings.
Second, this has taken a long time. This data breach occurred between April 10, 2014 and September 13, 2014 — it is now November 2020 — six years! Six years is a long time to be dealing with any event, much less one as stressful as this — how much time, mental energy, and productivity was lost during that time? And, back to point #1, we lawyers are not cheap. To have the meter running for 6 years addressing all of these different proceedings, it has to be a substantial cost.
Stay tuned for more thoughts on this issue in the days ahead.