Remember Home Depot’s massive data breach in 2014? The one where 56 million customers had their financial data compromised? Cybercriminals hacked the big box stores security network using third-party credentials and installed malware that copied payment card details.
Shareholders brought a lawsuit against the company, claiming the data breach was foreseeable, and stemmed from the board of directors failing to implement appropriate security measures. They were suing on behalf of all the shareholders. You can see a copy of the complaint here.
On Nov. 30, 2016 a federal judge in Atlanta dismissed the litigation, finding that Home Depot’s C-Suite and board members tried to mitigate data security weaknesses, even though they proved to be inadequate. U.S. District Chief Judge Thomas Thrash held, “As long as the outside directors pursued any course of action that was reasonable, they would not have violated their duty of loyalty.”
While the judge agreed Home Depot’s governing board “probably should have done more,” Thrash said that making the wrong decision in response to red flags “is not enough to plead bad faith.”
As reported in this story, “when the data breach was discovered in September 2014, the company’s data security systems were still “desperately out of date,” according to its then CEO, the judge’s order said. Thrash noted in his order that the total cost to Home Depot as a result of the thefts is estimated to reach nearly $10 billion.”
Back in March, Home Depot agreed to pay customers $13 million to settle a privacy breach suit over the 2014 hack, but it didn’t admit any wrongdoing. You can find details about that settlement online.
Another big data breach derivative suit against Target’s board, in response to its 2013 cyber breach, was dismissed in July. Read more about that here.
Are you covered for identity theft?
Image: Pixabay