Before a major data breach, Home Depot was slow to raise its defenses against hackers despite alarms from security experts as far back as 2008.
Source: click here for article in NY Times
A negative article about Home Depot’s data breach, to be sure. But the article is obviously incomplete and does not provide Home Depot’s viewpoint or timeline about the cybersecurity actions that it had been taking.
Cybersecurity and new efforts and developments by hackers are rapidly changing areas. The relevant time period for Home Depot is probably mid- to late-2013 to the present. See my prior August 31, 2014 risk management and NIST Cybersecurity Framework blog post CLICK HERE, and my September 13, 2014 blog post CLICK HERE re COSO 2013 framework and risk management 20 step process. Curious, how would the outside independent auditor handle these risks under the COSO 2013 framework?
The article does indicate that Home Depot hired a computer engineer to oversee security as early as 2012, brought in additional experts in January 2014, and started encryption in April 2014 which wasn’t complete until last week.
A few comments from current or past employees don’t establish anything. Undoubtedly we will be getting additional information shortly. Home Depot certainly faces liability exposure, but how much we cannot determine, and possible of loss of store sales, but again how much we cannot determine.
Should executive officers or board or audit or risk committee members be ousted? Will proxy consultants recommend ouster? As you know from my prior posts re Target and GM – certainly not as a jerk knee reaction.
Obviously the most pressing actions needed are remedial, making sure the right people with expertise, experience and authorization are in place to be sure other breaches, if any, and security inadequacies are identified and eliminated, and for Home Depot to be able to affirm to the buying public that it is safe to shop at Home Depot.
Presumably the board will have an independent investigation performed – although the full examination and recommends will take time, it shouldn’t be too difficult to have the initial interviews completed quickly (30 days?) to determine which if any immediate position changes and authorizations should be immediately made or enhanced in Home Depot’s cybersecurity processes.
More to follow.
Dave Tate, CPA, Esq. (San Francisco / California)