$43m is peanuts
But I wonder what the hard cash value is of the reputational damage, from customers choosing not to buy because their details were compromised by Home Depot?
With 53m customers affected, that must be close to all customers of the company. Home Deport have sales of close on $80bn a year, if only half of one percent of customers go elsewhere then that's $400m of revenue lost, and with Home Deport gross margin of around 33% that translates to lost margin of $132m in year one, whilst operating costs remain essentially static. Even if those half of one percent bleed back to Home Deport over three years then the margin losses are going to total around $220m. Obviously if you get to larger but still feasible numbers, say 3% deciding not to shop, then on the same basis Home Depot's losses are $1.3bn over three years.
Moral of the story to big company CIOs (and today's El Reg Statement of the Bl**ding Obvious): The value at risk in a data breach is many multiples of the short term direct costs of fines and compensation. You did factor that into your discussion with the board about investing in IT security, didn't you? On the plus side, if Home Depot's anything to go by, you won't get fired, and next years bonus will probably be as generous and undeserved as last years.