[BreachExchange] Latest Target Data Breach Settlement Reminds Companies Of The Importance Of Data Security

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 30 19:41:20 EDT 2017


Pursuant to a settlement agreement with the Attorneys General of nearly all
50 states1, Target Corporation will pay $18.5 million to settle claims
brought by the state Attorneys General arising from the November 2013 data
breach – involving the credit or debit card information of approximately 40
million Target customers – caused by cyberattacks on Target's network.

The settlement is the latest in a string of settlement payments made by
Target as a result of the breach, which includes payments of over $100
million to banks and credit/debit card companies for fraudulent charges and
other damages, as well as a $10 million payment to settle a civil class
action brought by affected customers.  In total, Target reports that, to
date, the cost of the data breach has exceeded $200 million.2

Notably, the settlement agreement with the Attorneys General goes beyond
mere payment of monetary penalties.  It requires Target to take specific
steps to ensure implementation of a comprehensive information security
program aimed at avoiding future breaches.  The settlement agreement
requires Target to implement this new security program within 180 days of
the effective date of the agreement, and mandates that Target, among other
things: (1) maintain a written policy that adequately addresses the
administrative, technical and physical safeguards for personal information
maintained by Target, taking into account Target's size, the nature of its
operations, and the sensitivity of personal information maintained by it;
(2) employ an executive or officer with an appropriate background or
experience to implement and maintain the program; and (3) maintain
encryption protocols and related policies reasonably designed to protect
personal information.  Target is also required to separate its customer
credit and debit card data from the rest of its computer network and to
test for, and correct, vulnerabilities in its computer network.3

Within one year of the settlement, Target must obtain a third-party
"information security assessment" to review and report on the
implementation of the new information security program.  The Attorneys
General have the right to initiate a proceeding for any failure to comply
with the provisions of the settlement agreement, as well as for any other
failure to comply with applicable data security laws.  In other words,
Target's implementation of these data security policies and procedures will
be under a regulatory microscope for the near future.

The moral of the story for other companies, as made clear in a statement by
Connecticut Attorney General George Jepsen, is that "Companies across
sectors should be taking their data security policies and procedures
seriously.  Not doing so potentially exposes sensitive client and consumer
information to hackers."4  This is true even for companies that do not face
the significant exposure of a large retailer like Target.  Regardless of
company size or industry, the settlement sends a message that companies
must either implement reasonable and adequate data security safeguards, or
risk a breach that could result in government implementation and oversight
of a much more rigorous and burdensome program.

In sum, this is reminder that now is a good time for all companies to
review their data security policies and programs, data breach response
protocols, and compliance with applicable consumer protection and data
security laws, to ensure that they do not become the next example of what
not to do.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170530/dd520e29/attachment.html>

More information about the BreachExchange mailing list