Home Depot’s data breach has already cost the company more than $60 million, not including potential costs for civil damages in suits brought by consumers, shareholders, and financial institutions. However, Home Depot’s potential costs do not stop there. Recent reports indicate Home Depot may have known their systems were open to attack and did not act to fix the problem.

According to former members of the Home Depot IT security team, Home Depot failed to perform regular tests on its Point of Sale systems, hired their Senior IT security architect after he sabotaged his former employer’s network, and ran an outdated version of Symantec Antivirus from 2007. Commentators have started to discuss whether Home Depot’s actions, or lack thereof, could mean criminal liability for the retailer. Criminal negligence in a data breach would require evidence that an entity failed to perceive a substantial and unjustifiable risk that a data breach will occur.

While it is still early, one lesson from the Home Depot data breach case is that while companies can expect data breaches to be probable, they cannot just sit on their hands. Indifference to the risk and failure to take proper precautions against the probability of a data breach could mean criminal negligence charges.