Yesterday brought further proof – if any were needed – that data breaches are costly for everyone involved.
Home Depot, which revealed a huge data breach in September, said it now faces at least 44 civil lawsuits across the US and Canada after the security slip that left 56 million credit cards and 53 million email addresses exposed.
The company also warned that it expects more claims to be filed by customers and shareholders, as well as card issuers and payment card brands, according to a Securities And Exchange Commission (SEC) filing by Home Depot.
The financial impact of the breach so far stands at $43 million, the company wrote, though it expects to recoup some $15m of that cost via a network security and privacy liability insurance policy.
The resulting $28 million pre-tax net expense covers the three month period up until 2 November 2014 and takes account of the cost of investigating the breach itself, providing free identity protection and credit monitoring services to customers and the additional costs associated with an increased demand for call centre staff.
Other expenses include fees in respect of legal and other professional services required in the wake of the data breach.
Home Depot also predicted other future costs in respect of the breach, including further professional services expenses as well as additional capital costs associated with remediation.
The company said the value of potential further expenses and legal costs will likely be dependent upon whether it was deemed to be compliant with data security standards, such as Payment Card Industry Data Security Standards (PCI-DSS), at the time of the breach and whether or not any non-compliance (if detected) could be proven to have been instrumental in the criminals gaining accessing to the data.
Home Depot said its payment card network had been certified as compliant by an independent auditor in Autumn 2013, but said the 2014 assessment was ongoing at the time of the attack so admitted it may not be found to be compliant:
The forensic investigator working on behalf of the payment card networks may claim the company was not in compliance with those standards at the time of the Data Breach. As a result, we believe it is probable that the payment card networks will make claims against us and that we will dispute those claims.
Home Depot reiterated its previous announcement of additional measures to prevent another breach occurring in the future, which includes the rolling out of “enhanced encryption” in all of its US stores to make credit card data unreadable, and the complete adoption of EMV Chip-and-PIN technology by the end of the year.
Canadian stores, which are already enabled with Chip and PIN technology, will receive the new encryption system in 2015.
Investigations into the breach are still ongoing, the company said.