Skip to content
Main Menu
Utah Attorney General
Search
Attorney General
Sean D. Reyes
Utah Office of the Attorney General
Secondary Navigation

Attorney General Reyes and The Home Depot Reach Settlement Regarding Data Breach

November 24, 2020

SALT LAKE CITY – Utah Attorney General Sean D. Reyes today announced that his office, the Utah Division of Consumer Protection and the attorneys general of 45 other states and the District of Columbia have obtained a $17.5 million-dollar settlement against Georgia-based retailer The Home Depot, resolving a multistate investigation of a 2014 data breach which exposed the payment card information of approximately 40 million Home Depot consumers nationwide. The State of Utah will collect $154,144.80 through this settlement.

The breach occurred when hackers gained access to The Home Depot’s network and deployed malware on The Home Depot’s self-checkout point-of-sale system. The malware allowed the hackers to obtain the payment card information of customers who used self-checkout lanes at The Home Depot stores throughout the U.S. between April 10, 2014 and Sept 13, 2014.

In addition to the $17.5 million total payment to the states, The Home Depot has agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

“This settlement serves to promote fair but rigorous compliance with state laws which require businesses that collect or maintain sensitive personal information to implement and adhere to reasonable procedures to protect consumers’ information from unlawful use or disclosure,” Attorney General Reyes said.

Specific information security provisions agreed to in the settlement include:

  • Employing a duly qualified Chief Information Security Officer reporting to both the Senior or C-level executives and Board of Directors regarding The Home Depot’s security posture and security risks;
  • Providing resources necessary to fully implement the company’s information security program;
  • Providing appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;
  • Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and
  • Consistent with previous state data breach settlements, the company will undergo a post settlement information security assessment which in part will evaluate its implementation of the agreed upon information security program.

Other states participating in this settlement include: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Vermont, Virginia, Washington, West Virginia, and Wisconsin.

DATA BREACH: EQUIFAX SETTLES WITH UTAH ATTORNEY GENERAL

FOR IMMEDIATE RELEASE
July 22, 2019
 

DATA BREACH: EQUIFAX SETTLES WITH UTAH ATTORNEY GENERAL

50 Other States, Puerto Rico, Washington D.C. included in Historic Case

“While this is a historical settlement in terms of amount and conditions required, it is quite appropriate for the severity of the conduct.”—Utah Attorney General Sean D. Reyes

SALT LAKE CITY – The Utah Attorney General announces a historic $600 million nationwide settlement with Equifax concerning the 2017 Equifax data breach affecting more than 147 million Americans, and more than 1.2 million Utahns. 50 state attorneys general and the attorneys general of Puerto Rico and Washington, D.C. are included in the settlement.
 
“I’m pleased Equifax will take serious steps to protect and reimburse consumers, even if it comes only after one of the worst lapses of consumer data protection in our history,” said Utah Attorney General Sean D. Reyes. “I urge Utah consumers affected by the breach to take advantage of Equifax’s agreement to pay for credit monitoring, identity theft protection and other measures and reimbursements.”
 
“Just the fear and uncertainty alone from a breach victimizes those whose data is compromised,” AG Reyes said. “I’m hopeful this offers some measure of relief to Utahns whose lives have been disrupted or even more significantly damaged.”
 
The terms of the multistate attorney general settlement are as follows:

  • Equifax will offer affected consumers free credit monitoring services for 10 years;
  • Equifax will provide free Identity Theft Restoration services to all affected consumers;
  • Equifax will strengthen its data security practices to protect against another breach;
  • Equifax will take several steps to assist consumers:
    • with understanding their credit report;
    • with disputing inaccurate entries on their credit report, including credit report entries that are the result of identity theft;
    • who have become the victim of identity theft or who are concerned about becoming the victim of identity theft; and
    • including assisting active-duty military members and veterans and their families with credit report issues unique to military members.
  • Equifax will pay $300 million into a settlement fund for the benefit of affected consumers, with the possibility of paying up to an additional $125 million into the settlement fund, for a total of $425 million; and
  • Equifax will pay $175 million to the states, $1,422,915.91 of which will go to Utah. 

Details on the Consumer Settlement Fund
Affected consumers are eligible to request the following types of reimbursements from the settlement fund:

  • Reimbursement for time spent trying to avoid or recover from identity theft (up to 20 total hours at $25 per hour);
  • Reimbursement for money spent trying to avoid or recover from identity theft (such as costs for freezing your credit report, professional fees paid to address identity theft, postage, etc.);
  • Up to $125 to reimburse for credit monitoring services purchased if you choose not to accept the offered 10 free years of credit monitoring service offered as a part of the settlement.

The settlement is being handled by a settlement administrator who is maintaining a website (http://www.ftc.gov/equifax-data-breach) and a toll-free number (1-833-759-2982).  Eligible consumers can submit claims at the settlement website. 

Frequently Asked Questions
Q: How do I know if I am covered by the settlement?
A: Once the class action court approves the settlement, Equifax will provide a lookup tool on the settlement website (http://www.ftc.gov/equifax-data-breach) that you can use to determine whether you are affected by the data breach. You will be required to input the last 6 digits of your Social Security Number that Equifax will use only to determine whether you are one of the affected consumers. 
 
Q: I am an eligible consumer who wants to make a claim from the settlement fund. How do I make a claim? 
A: You can make a claim through the settlement website (http://www.ftc.gov/equifax-data-breach) once the court approves the settlement. This is the simplest and quickest way to file a claim. However, you also can request a paper claim form via the settlement website or by calling (1-833-759-2982). The deadline to file all claims will be determined once the court approves the proposed settlement and will be posted on the settlement website as soon as that information becomes available, so please check the settlement website for updated information. When you file a claim, you will receive a claim number.  Please record your claim number and retain it for future reference.
 
Q: I am an eligible consumer who wants to make a claim from the settlement fund. What can I request in my claim?
A: You will be able to request after the court approves the settlement, and before the deadline to be announced by the court, free credit monitoring and reimbursement for money and time spent addressing the data breach. Specifically, you can:

  • Sign up for the free 10 years of credit monitoring that Equifax is offering. It consists of at least 4 years of three-bureau credit monitoring that monitors your credit report with Equifax, Experian, and TransUnion, followed by up to 6 years of single bureau credit monitoring of your Equifax credit report;
  • Request reimbursement for:
    • Time spent trying to avoid or recover from identity theft (up to 20 total hours at $25 per hour);
    • Money spent trying to avoid or recover from identity theft (such as money paid to freeze or unfreeze your credit report, money paid to a professional for identity theft services, postage, etc.; and
    • If you do not wish to utilize the offered free 10 years of credit monitoring, you can request reimbursement of up to $125 for what you spent to purchase alternative credit monitoring services.

Also, all affected consumers are eligible to use the free offered Identity Restoration services at any time during the extended claims period. The court will determine the deadline to file a claim during the extended claims period once it approves the proposed settlement. Affected consumers do not need to enroll in this service in order to be able to use it. 
 
Q: When is the deadline to file a claim against the settlement fund?
A: The deadline is not yet set, but the court will determine the deadline if it approves the proposed settlement. Please check the settlement website (http://www.ftc.gov/equifax-data-breach) for updates on the claims deadlines and other documents associated with the settlement. 
 
Q: I filed a claim against the settlement fund.  How can I find out about the status of the claim?
A: The settlement administrator will contact you when a decision is made about your claim. Also, you can check the status of your claim at http://www.ftc.gov/equifax-data-breach. Please be prepared to enter your claim number that the settlement administrator provided to you when you filed your claim. 
 
Q: I have questions about the Equifax settlement.  Where can I get information about the settlement?
A: You can go to http://www.ftc.gov/equifax-data-breach for information about the settlement and to view important documents associated with the settlement. Also, you can call (1-833-759-2982) to obtain information about the settlement. Utah consumers who have questions that were not answered by the website or toll-free number may contact the Utah Office of the Attorney General, Constituent Services, at 801-366-0260 or uag@agutah.gov.
 
Q: I am concerned about identity theft.  How can I place a freeze on my credit report?
A: Credit freezes are free of charge, and in order to place a freeze on your credit report, you must contact each of the major consumer reporting agencies directly and identify yourself to them. A credit freeze prevents companies from viewing your credit report if they are considering granting credit unless you prove to them that you are who you say you are. It can help protect you from identity thieves who are trying to open a credit account in your name. The consumer reporting agencies are not permitted to charge you any fee to place or lift the freeze. You should know that if you plan to apply for credit when you have a freeze in place, there may be a delay in processing your credit application while you request that the credit freeze be lifted. You can find instructions on how to place a credit freeze here: https://www.consumer.ftc.gov/blog/2018/09/free-credit-freezes-are-here.

###

For-Profit College Settlement Cancels $500M in Student Debt

The State of Utah Department of Commerce released the following after Utah and 48 Attorneys General signed a multi-state case with Career Corporation, a for-profit education company, who agreed to stop collecting student loans, bringing $493.7 million in debt relief to CEC students across the U.S.

FOR IMMEDIATE RELEASE
January 9, 2019

Career Education Corporation, a for-profit company, agrees to stop collecting student loans in agreement with Utah, 48 Attorneys General

SALT LAKE CITY, Utah – Francine A. Giani, Executive Director of the Department of Commerce, announced today that the Utah Division of Consumer Protection will receive settlement funds for students as the result of a 493.7M nationwide lawsuit against Career Education Corporation (CEC), a for-profit education company. In the court filing, CEC agreed to reform its recruiting and enrollment practices and forgo collecting about $493.7 million in debts owed by 179,529 students nationally, in a settlement with the Utah Division of Consumer Protection filed through the Utah Attorney General and 48 other attorneys general.

“This case is a triumphant win for CEC students whose for-profit school failed to deliver on empty promises. Often these institutions prey on a vulnerable population, working parents and students who are looking find careers outside traditional college degrees. Utah hopes this case sends a message to the industry that our attorneys will actively pursue cases to defend student’s consumer rights,” stated Francine A. Giani.

The Assurance of Voluntary Compliance filed January 3, 2019 caps a five-year investigation. CEC agrees to forgo any and all efforts to collect amounts owed by former students living in the states participating in the agreement. In Utah, 399 students will get relief totaling $980,547.39. Nationally, the average individual debt relief will be about $2,750. CEC has also agreed to pay $5 million to the states. Utah’s share will be $50,000 which will go to the Consumer Protection Education and Training Fund.

CEC is based in Schaumburg, Ill., and currently offers primarily online courses through American InterContinental University and Colorado Technical University.

CEC has closed or phased out many of its schools over the past 10 years. Its brands have included Briarcliffe College, Brooks Institute, Brown College, Harrington College of Design, International Academy of Design & Technology, Le Cordon Bleu, Missouri College, and Sanford-Brown.

A group of attorneys general launched an investigation into CEC in January 2014 after receiving several complaints from students and a critical report on for-profit education by the U.S. Senate’s Health, Education, Labor and Pensions Committee. That investigation revealed evidence demonstrating that:

  • CEC used emotionally charged language to pressure them into enrolling in CEC’s schools;
  • CEC deceived students about the total costs of enrollment by instructing its admissions representatives to inform prospective students only about the cost per credit hour without disclosing the total number of required credit hours;
  • CEC misled students about the transferability of credits into CEC from other institutions and out of CEC to other institutions by promising on some occasions that credits would transfer;
  • CEC misrepresented the potential for students to obtain employment in the field by failing to adequately disclose the fact that certain programs lacked the necessary programmatic accreditation; and,
  • CEC deceived prospective students about the rate that graduates of CEC programs got a job in their field of study, thereby giving prospective students a distorted and inaccurate impression of CEC graduates’ employment outcomes. For instance, CEC inaccurately claimed that its graduates were “placed” who worked only temporarily or who were working in unrelated jobs.

As a result of the unfair and deceptive practices described above, students enrolled in CEC who would not have otherwise enrolled, could not obtain professional licensure, and were saddled with substantial debts that they could not repay nor discharge. CEC denied the allegations of the attorneys general but agreed to resolve the claims through this multistate settlement.

Robert McKenna, former Washington state attorney general and current partner at the San Francisco-based law firm of Orrick, Herrington & Sutcliffe, will independently monitor the company’s settlement compliance for three years and issue annual reports.

Highlights of the agreement

Under the agreement, CEC must:

  • Make no misrepresentations concerning accreditation, selectivity, graduation rates, placement rates, transferability of credit, financial aid, veterans’ benefits, or licensure requirements.
  • Not enroll students in programs that do not lead to state licensure when required for employment, or that due to their lack of accreditation, will not prepare graduates for jobs in their field. For certain programs that will prepare graduates for some but not all jobs, CEC will be required to disclose such to incoming students.
  • Provide a single-page disclosure to each student that includes: a) anticipated total direct cost; b) median debt for completers; c) programmatic cohort default rate; d) program completion rate; e) notice concerning transferability of credits; f) median earnings for completers; and g) the job placement rated.
  • Require students before enrolling to complete an Electronic Financial Impact Platform Disclosure, which provides specific information about debt burden and expected post-graduation income. CEC is working with the states to develop this platform.
  • Not engage in deceptive or abusive recruiting practices and record online chats and telephone calls with prospective students. CEC shall analyze these recordings to ensure compliance. CEC shall not contact students who indicate that they no longer wish to be contacted.
  • Require incoming undergraduate students with fewer than 24 credits to complete an orientation program before their first class that covers study skills, organization, literacy, financial skills, and computer competency. During the orientation period, students may withdraw at no cost.
  • Establish a risk-free trial period. All undergraduates who enter an online CEC program with fewer than 24 online credits shall be permitted to withdraw within 21 days of the beginning of the term without incurring any cost. All undergraduates who enter an on-ground CEC program shall be permitted to withdraw within seven days of the first day of class without incurring any cost.

Relief Eligibility

CEC has agreed to forgo collection of debts owed by students who either attended a CEC institution that closed before Jan. 1, 2019, or whose final day of attendance at AIU or CTU occurred on or before Dec. 31, 2013.

Former students with debt relief eligibility questions can contact CEC here; Toll Free Number: 844-783-8629

Local Number: 847-783-8629

The email is CECquestions@careered.com

The CEC investigation was led by Iowa, Connecticut, Illinois, Kentucky, Maryland, Oregon, and Pennsylvania. The agreement also covers the District of Columbia and  the following states: Alabama, Alaska, Arizona, Arkansas, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Kansas, Louisiana, Maine, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming.

Photo by Nathan Dumlao