On March 8, 2017, a proposed settlement agreement was submitted for court approval to conclude class action litigation by certain banks and other financial institutions against Home Depot relating to a 2014 breach of Home Depot’s payment data systems. Under the proposed settlement, Home Depot will pay $25 million to a settlement fund for distribution to the banks and financial institutions and will separately pay additional costs and attorneys’ fees and expenses.

In addition to the payment obligations, the proposed settlement provides that for at least two years Home Depot will adopt and implement the following security measures to reduce the risk of a future data breach:

Safeguards:  Design and implement reasonable safeguards to manage risks identified through data security risk assessments tracked and managed using a risk exception process that involves Home Depot leadership and is reviewed on an annual basis.

Vendor Management:  Select and retain information technology service providers and other vendors capable of maintaining appropriate security practices. Annually assess, including on-site visits where appropriate, service providers and vendors with access to payment card information to validate compliance with security practices.

Security Control Framework:  Design and implement an industry recognized security control framework appropriate for Home Depot’s environment.

The required security measures are consistent with cyber risk management guidance issued by Canadian regulators and self-regulatory organizations. See Guidance for Supply Chain Cyber Risk Management, Regulatory Enforcement Action Emphasizes Need for Information Security Governance Framework and Cyber Risk Management Guidance for Corporate Directors.