09/05/2014 01:15 pm ET Updated Nov 04, 2014

Home Depot's Hack Response in Three Little Words

By Neal O'Farrell, Security and Identity Theft Expert for

If the Home Depot breach turns out to be as bad or worse than the Target breach, certain things will be unavoidable for the home improvement giant. But there are some things the company can do to help reduce the short and long term impact and cost.

Americans are renowned and admired the world over for their capacity to forgive, and the quicker consumers forgive Home Depot, the greater the chance Home Depot has to reduce the final cost of this (possible) major breach of trust. But forgiveness comes with a price, and that price is a full confession and genuine contrition.

Mea Maxima Culpa

If it turns out that this breach could reasonably have been prevented, the mob is going to be baying. The best chance Home Depot has of quelling the calls for blood and heads is a major Mea Maxima Culpa.

Expose consumers to enough breaches and they start learning. One of the things they learn is how canned, insincere, misleading and blame-pushing most of the PR-driven responses can be. A good CEO can get a great head start on rebuilding trust and getting back to business if he or she responds in the right way and at the right time.

If I were Home Depot:

  • Have the CEO say that he's dropping everything else he's doing right now so he can focus completely on what matters most -- the trust and safety of his customers. If your building is burning down, don't delegate the response. Lead it.
  • Don't hide behind a legal or PR statement or person. Have the CEO appear regularly, everywhere, minus the jacket or tie and with his sleeves rolled up. Make sure we all can see him hard at the dirty work of figuring this out and making it right.
  • Tell the truth. If you don't know something, say you don't and say why. Don't dodge a question you don't have any answer to with the common boilerplate, "The investigation is still ongoing."
  • Don't hide news or answers about the breach in the dark and dusty corners of your web site. Some CEOs seem to think if the breach is not on their home page, people won't notice there's been a breach. You can bet they will.
  • Be angry and show it. If your firm did everything reasonable to prevent the breach from happening, then you and your employees are victims too. And if you share the anger your customers are feeling, you can help make a powerful connection with them.
  • If you didn't have it ready this time, have it ready next time. I'm taking about a breach response center that is ready to launch and quickly filled in with all the relevant information, helpline phone numbers, links and everything else worried customers will want quickly. There's nothing worse than being directed to a breach information page that has nothing more than a couple of paragraphs of PR concocted spin.

If you have ever shopped at Home Depot:

  • If you used a credit card or Home Depot card, keep an eye on your statements. You won't be liable for any fraudulent charges so don't panic if they pop up.
  • If you used a debit card, keep an eye on your bank statements and change your PIN.
  • If you have or had an online account with Home Depot, change the password and be on the alert for any suspicious emails.
  • If you have a Home Depot Commercial Account or (like me) a Home Depot Project loan, call the customer help number on your paperwork and ask if they have any information specifically about those accounts. If you applied for a project loan, you'll have provided your Social Security number so be on extra alert.

Even if you didn't shop at Home Depot:

  • Be suspicious of any emails in the coming days and months that claim to be from Home Depot or about the breach. Hackers and spammers are going to have a field day with all the media coverage.
  • Don't wait to be offered credit monitoring or identity protection. Services like Credit Sesame offer free identity protection all year round, so take advantage of it before something bad happens.
  • Use every data breach as a reminder to catch up on all those security housekeeping chores that we now have to live with -- change your passwords even if they weren't affected or you're not a victim. Check your credit card and bank statements thoroughly for any unusual charges. Be vigilant for suspicious emails and keep a close eye on your credit.
  • Don't stop shopping at Home Depot. All you're doing is hurting the thousands of employees who had nothing to do with the breach, and playing into the hands of the hackers.

By doing all these simple things, you're actually making things harder for the thieves. Because the more locked-down and vigilant you are, the harder it becomes for these thieves to use the information against you.

Neal O'Farrell is one of the most experienced consumer security experts on the planet. Over the last 30 years he has advised governments, intelligence agencies, Fortune 500 companies and millions of consumers on identity protection, cybersecurity, and privacy. As Executive Director of the Identity Theft Council, Neal has personally counseled thousands of identity theft victims, taken on cases referred to him by the FBI and Secret Service, and interviewed some of the nation's most notorious identity thieves.