Attorneys General Launch Multistate Home Depot Data Breach Investigation

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Martha Kessler

Sept. 11 — A group of attorneys general have opened a multistate investigation into the recently confirmed data breach at Home Depot Inc., officials from the offices of the attorneys general in several states told Bloomberg BNA Sept. 10.

The investigation seeks to identify the circumstances and the causes of the breach as well as the manner in which the home improvement retailer has dealt with affected shoppers, they said.

A spokeswoman for Connecticut Attorney General George Jepsen (D) said that Jepsen will be leading the multistate investigation in coordination with attorneys general Lisa Madigan (D) of Illinois and Kamala D. Harris (D) of California.

Officials in the offices of Harris and Madigan confirmed to Bloomberg BNA that they are engaged in investigating the breach and will work to evaluate the matter and take appropriate action as needed.

Jaclyn M. Falkowski, a spokeswoman for Jepsen, said the attorneys general have had initial contact with the Atlanta-based retailer but declined to offer any further information.

In a breach involving payment cards, there often arises an issue of whether the retailer or the credit card issuer has the duty to report to attorneys general if a relevant state data breach notification law requires it.

Retailer Confirmed Breach

Home Depot, the world's largest home improvement retailer, confirmed Sept. 8 that its payment data systems had been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores.

The company said in a statement it began its investigation Sept. 2, immediately after it received reports from its banking partners and law enforcement that criminals may have hacked its payment data systems. Home Depot said while it continues to determine the full scope, scale and impact of the breach, there is no evidence that debit personal identification numbers were compromised.

Spokeswomen for attorneys general in Rhode Island and Massachusetts told Bloomberg BNA their offices had received communication from Home Depot alerting them of the breach and the steps the company is taking to investigate the breach and to support customers possibly affected by any data theft.

Rhode Island Attorney General Peter Kilmartin (D) said in a Sept. 10 statement that his office has learned that the cyberattack may have involved transactions as far back as April 2014 and might affect all of the retailer's 2,200 U.S. stores.

Jillian Fennimore, spokeswoman for Massachusetts Attorney General Martha Coakley (D), told Bloomberg BNA that her state is also involved in the multistate investigation.

“We have been in contact with Home Depot, and will be working with attorneys general across the country to review the circumstances and cause of this data breach, whether Home Depot had sufficient safeguards in place to protect consumer information, and to confirm that Home Depot will take appropriate steps to protect its customers,” Fennimore said.

Retailers Should be Aware

Home Depot joins a growing list of major U.S. retailers that have reported data breaches.

“At this point, all retailers should be aware of the gaps in security that are being exploited and they should immediately implement” improvements, Tom Kellermann, chief cybersecurity officer of Internet and cloud security firm Trend Micro Inc., told Bloomberg BNA Sept. 10.

 “Everyone should have learned” from what happened to Target Corp., he said. In December 2013, Target revealed a massive hacking breach of its payment card databases. “And the fact they haven't should be quite damning,” he said.

The lack of improvements by businesses may mean government regulators, such as the Federal Trade Commission, should act, Kellermann added.

Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.)—who previously served as Connecticut's attorney general—have called on the FTC to determine whether Home Depot's data security procedures meet a “reasonable standard”.

Who Must Notify Attorneys General?

One question that has come up in investigations of data breaches is which party is responsible under various state statutes for notifying the appropriate state authorities.

In referencing the Massachusetts data security law, Cynthia Larose, a member of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo PC in Boston, told Bloomberg BNA Sept. 11 that the notification requirements depend on the type of breach. In these kinds of situations, where the payment system is breached and the information is actually grabbed before it enters the retailer's payment system, Larose said, one can argue that the information isn't “owned” by the retailer but instead belongs to the credit card issuer because this information was never actually transferred to the retailer.

The credit card issuers typically don't notify the attorneys general because they say it isn't their breach, Larose said. “The attorneys general have not forced that issue with the credit card companies because it is true that they are owners of the information but they are not the processors of the information,” she said.

There are multiple levels of people in between, which is why public notice is really the only way to go.

“I think in a situation like this, where there has been public notice anyway, sending a letter to the attorney general's office is just closing the loop for retailers like Home Depot that have been involved in a mass breach,” Larose said.

“I think it is always recommended to communicate with the regulators when something like this happens. You only do yourself harm by not communicating with the regulators,” she said.

“Just looking at the situation and saying it's not really our problem, or we don't fit under the statute is probably not the best idea,” Larose added.

With assistance from Joyce Cutler in San Francisco

To contact the reporter on this story: Martha Kessler in Boston at

To contact the editor responsible for this story: Donald G. Aplin at


Request Bloomberg Law Privacy and Data Security