Before a major data breach, Home Depot was slow to raise its defenses against hackers despite alarms from security experts as far back as 2008.

Source: click here for article in NY Times

A negative article about Home Depot’s data breach, to be sure.  But the article is obviously incomplete and does not provide Home Depot’s viewpoint or timeline about the cybersecurity actions that it had been taking.

Cybersecurity and new efforts and developments by hackers are rapidly changing areas.  The relevant time period for Home Depot is probably mid- to late-2013 to the present.  See my prior August 31, 2014 risk management and NIST Cybersecurity Framework blog post CLICK HERE, and my September 13, 2014 blog post CLICK HERE re COSO 2013 framework and risk management 20 step process.  Curious, how would the outside independent auditor handle these risks under the COSO 2013 framework?

The article does indicate that Home Depot hired a computer engineer to oversee security as early as 2012, brought in additional experts in January 2014, and started encryption in April 2014 which wasn’t complete until last week.

A few comments from current or past employees don’t establish anything.  Undoubtedly we will be getting additional information shortly.  Home Depot certainly faces liability exposure, but how much we cannot determine, and possible of loss of store sales, but again how much we cannot determine.

Should executive officers or board or audit or risk committee members be ousted?  Will proxy consultants recommend ouster?  As you know from my prior posts re Target and GM – certainly not as a jerk knee reaction.

Obviously the most pressing actions needed are remedial, making sure the right people with expertise, experience and authorization are in place to be sure other breaches, if any, and security inadequacies are identified and eliminated, and for Home Depot to be able to affirm to the buying public that it is safe to shop at Home Depot.

Presumably the board will have an independent investigation performed – although the full examination and recommends will take time, it shouldn’t be too difficult to have the initial interviews completed quickly (30 days?) to determine which if any immediate position changes and authorizations should be immediately made or enhanced in Home Depot’s cybersecurity processes.

More to follow.

Dave Tate, CPA, Esq. (San Francisco / California)

A recent decision by the NRLB provides important guidance as to when social media commentary is protected under the National Labor Relations Act and how far it must go before it can be deemed to lose the protection of the Act.

Source: click here for article

An important NRLB decision re employee use of social media.  All part of risk management.  Enjoy. Dave Tate (San Francisco / California)

As companies, directors (audit and risk committees), internal audit and independent auditors continue to gear-up for COSO 2013, I am posting the below bullet point outline without discussion primarily for future reference and application. You will note that the COSO 2013 framework remains broad, lacking detail and arguably vague. You can take any category and any principle and ask, “what does that mean” “what are our responsibilities” and “at what point have we satisfied our responsibilities”? For example, look at the Risk Assessment category. Methods or processes of risk assessment certainly have already become more involved. See for example my August 31, 2014 blog post discussion about the NIST Cybersecurity Framework click here and my paper outlining 20 risk management process steps https://directorofficernews.com/wp-content/uploads/2014/07/risk-uncertainty-management-processes-oversight-dave-tate-esq-07052014.pdf.

More to follow.  Dave Tate, CPA, Esq. (San Francisco / California)

COSO 2013 Internal Control Framework & Sarbanes-Oxley Act (SOX) Section 404

Three Categories of Objectives:
-Operations
-Reporting
-Compliance

The Five Integrated Components of Internal Control and Their 17 Principles:

Control Environment
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibilities
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Risk Assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & Communication
13. Uses relevant information
14. Communicates internally
15. Communicates externally

Monitoring Activities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies

* * * * * * *