Home Depot Data Breach
How it works
Individuals who have discovered unauthorized charges on their credit cards or learned that someone has used their name to take out a loan are not alone. A recent CNN/ Money magazine article reports that more than 13 million people were identity fraud victims last year, up from 12.6 million in 2012, based on a recent study by San Francisco based Javelin Strategy & Research. It was the second highest number of victims in the 10 years Javelin has conducted its study. With fraud on the rise, consumer data is at risk.
Just this year, thieves have targeted customer data at eBay, Home Depot, Neiman Marcus, and Target. For years, retail organizations and financial institutions have known that having payment card numbers in their company databases required some level of protection. They use this stolen data to make purchases, develop fake IDs, take out fraudulent loans, and perpetrate other illegal activities. Internal auditors need to add protecting credit and debit card information to their long list of fraud threat.
Identity theft in the United States is commonly viewed as a growing problem. However, the best available data indicates that certain types of identity theft are growing while other forms are becoming less common. The most discernible problem for individuals worried about identity theft remains the disclosure of sensitive personal data, such as social security numbers. Examples of recent data breaches at major companies —Target, Sony, JPMorgan Chase, and the Home Depot, to name a few—demonstrate that disclosure of personal information to unauthorized third parties must be prevented to ensure security. The breach of payment card systems at the Home Depot in 2014 resulted in the theft of a wealth of information. This Note will examine the facts and legal consequences of the Home Depot breach under three separate frameworks. First, this Note will examine the Home Depot’s responsibilities arising under existing data breach notification statutes. Second, this Note examines the Home Depot’s potential liability if the recent bill introduced by Senator Leahy of Vermont proposing a federal data breach notification framework becomes law; ultimately, however, this Note finds that state notification statutes fail to adequately protect consumers, and Senator Leahy’s bill, while better suited than existing state notification statutes, is unlikely to be effective. Lastly, this Note examines the Home Depot’s potential liability if the Federal Trade Commission (FTC) were to adopt a penalty structure similar to those in the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) and concludes that a data protection model that imposes similar kinds of penalties for companies that suffer breaches of sensitive consumer data would better serve the public interest
Three States of Data:
Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. This includes information such as credit card, checking account, social security, and driver’s license numbers that uniquely identify an individual. Businesses collect such information whenever someone makes a purchase. This enables companies to verify that the person using the payment method is authorized to do so and is who he or she claims to be. Although collecting customer data is a good business practice to prevent fraudulent activity, the moment organizations bring PII into their databases, they become custodians of it. As custodians, they are obligated to protect that information. Additionally, auditors have a duty to point out instances where customer PII may need to be protected, and they should look critically at internal systems where customers’ data is available for all to see or access.
Data in use: Data on terminals, displays, hand-held devices, paper reports, or other devices that employees use to do their jobs.
Data at rest: Information stored on file servers, computers, tablets, or information repositories such as email and Web servers.
Data in motion: Data sent over networks. Knowing the state of the data goes a long way toward understanding how to protect and audit it. In most cases, the data at rest needs to be safeguarded. This usually is done through encryption. However, in some cases data is not encrypted because management may believe that the data is on a protected device or network. The other reason people will not encrypt data is because of performance issues such as the time needed to encrypt and decrypt the data. In either case, if the protected device is somehow compromised, the data would be in plain sight and at risk. Encryption also is the preferred method of protecting data in motion. However, depending on the networks in use, it may not be possible to encrypt data if the receiver of the information does not have a way to decrypt it. In such cases, the organization should consider implementing other data security measures such as password protection, security keys, and biometric identification.
Above all, internal auditors need to be aware of the exact information the organization is trying to protect, and the cost associated with protecting it. Additionally, as this is primarily a data security issue, the information security group should assist in any projects in this area. Audit Focus Once internal auditors know which information needs to be protected and how to do so, they need to perform a simple inventory to find out where it exists in their organization. For example, auditors should use a spreadsheet to perform the inventory analysis.
On one side, the auditor should list each application system, hardware device, report, and item that may contain PII. At the top, the auditor should list the three data states — data in use, data at rest, and data in motion— and use a simple check to identify whether PII exists. Next to the cells in the spreadsheet where the PII exists, the auditor can add a column to indicate how that PII item is protected or note where the data is in plain sight and may need additional protection. This spreadsheet can function as a road map to locate all the organization’s PII data and identify the method used to protect it. Moreover, it can demonstrate the organization’s due diligence in protecting this information. Now that auditors know where all the data resides, they can scope and plan to assess the organization’s risks. In addition to testing the encryption in place, auditors should focus on controls over how data is used as well as appropriate data security policies and procedures. Based on the inventory analysis, auditors can decide whether the data is at risk of compromise and then decide on an appropriate protection method. Some examples include.
Most commentators viewed this as a strong affirmance of the FTC’s authority and approach to developing data security norms. Shortly after Judge Salas issued her opinion denying Wyndham’s motion, LabMD sought review in federal court of the FTC’s denial of its motion to dismiss in the LabMD litigation. In defending its denial of this motion, the FTC was quick to cite Judge Salas’s opinion, citing cursorily to the holding without any discussion in asserting “the adequacy of the Commission’s jurisdiction over and notice regarding data security standards.” But the judge reviewing the LabMD motion to dismiss was not so blase about the issue, especially in the administrative context. It was at this stage that the FTC received its first substantial judicial pushback. During a hearing to consider.
The Home Depot breach of customer credit and debit card information illuminates the need for new regulations. The Home Depot allegedly failed to secure its payment systems properly, resulting in the breach of millions of consumer records, including e-mail addresses and payment card data. The ramifications from this breach for consumers and the Home Depot are immense. The Home Depot and other companies must be incentivized to properly secure customer data. State data breach notification statutes fail to do this because damages must be shown from the failure to notify properly. The Consumer Privacy Protection Act of 2015 proposed by Senator Leahy would be a step in the right direction, but the FTC should be given the power to fine companies that suffer breaches. The framework provided by HIPAA and HITECH better incentivizes covered entities’ compliance with data security regulations. The FTC should adopt similar regulations immediately, including regulations based on HIPAA’s Privacy, Security, and Enforcement Rules. Affirmative defenses and exceptions would ensure that a company is not being held strictly liable for being the target of hackers.
- Abbott, L. J., S. Parker, and G. F. Peters. 2004. Audit committee characteristics and restatements. Auditing: A Journal of Practice & Theory 23 (1): 69–87.
- Adler, T. 2011. Building Protection from Payments Fraud. Morristown, NJ: Financial Executives Institute.
- Bart, C., and O. Turel. 2010. IT and the board of directors: An empirical investigation into the ‘‘governance questions’’ Canadian board members ask about IT. Journal of Information Systems 24 (2): 147–172. Beaver, W. 1968. The information content of annual earnings announcements. Journal of Accounting Research 6: 67–92.