The timing couldn't have been worse for retail giant Target's massive data breach.
Not only did the security failure compromise data, including credit card information, for as many as 110 million customers at the peak of holiday shopping season, it threatens to make the company a poster child for regulators and legislators who were already considering new rules to crack down on lax corporate cyber-security.
Details are still emerging on what happened at Target, but there are growing suspicions, based on tracking of the stolen card numbers, that the data breach originated from hackers in one or more of the former Eastern Bloc countries. It is not yet known whether the Target breach is related to similar attacks that struck high-end retailer Neiman Marcus and other, as-yet-unnamed, retailers during the same period.
Stu Sjouwerman, CEO of the data security firm KnowBe4 and a longtime developer of anti-virus software, predicts it was accomplished by either a “phishing” or “spearfishing” attack, where hackers blast malicious links at employees, waiting for one of them to let their guard down and click on it, opening a virtual door in the network and inviting the enemy inside.
It wouldn't be the first time the tactic was successful. In July 2013, four Russian nationals and a Ukrainian were arrested for a global scheme that netted 160 million credit and debit card numbers during a seven-year period from customers and employees of Nasdaq, 7-Eleven, JCPenney, JetBlue, payment processor Heartland Payment Systems, and others.
While Target pieces together what happened, its woes could become everyone's problem. Seizing upon public concern, several members of Congress were quick to jump into the fray and demand answers, some even floating new requirements for data security. Among them was Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, who reintroduced the Personal Data Privacy and Security Act, a bill he first authored in 2005 and has reintroduced in each of the last four sessions of Congress.
Leahy's bill would establish a national standard for data breach notifications and require businesses that collect and store personal information to adopt a series of safeguards from cyber-threats. “Developing a comprehensive national strategy to protect data privacy and cyber-security remains one of the most challenging and important issues facing our nation,” Leahy said in a statement. “This important issue will also be the focus of a hearing before the Judiciary Committee this year.”
The bill would impose criminal penalties on individuals who “intentionally or willfully conceal” a security breach involving personal data when it causes economic damage to consumers. It also includes its own version of the Obama administration's proposal to update the Computer Fraud and Abuse Act, subjecting attempted computer hacking to the same criminal penalties as a successful attack.
Even if Congress doesn't pass new data privacy and security regulations, companies could still face tougher rules. “Regulators were very activist in 2013 and will continue to be in 2014,” says Sharon Klein, a partner with law firm Pepper Hamilton and chair of its privacy, security, and data protection practice. “The Federal Trade Commission has issued proclamation after proclamation about ‘privacy by design,' that you can't wait for a breach to happen, you have to get out in front of the problem and do your own preparation and investigations before any one breach happens.”
A tricky question is when to disclose a breach, how, and to whom. “There is a delicate balance between finding something out and providing instant breach information, and not having all of the relevant facts,” Klein says. “The goal is to do it once, correctly, rather than have iterative messaging.”
“If plaintiffs succeed in shifting the focus away from the legal standard, every company should be very concerned, because so many data breaches are, in hindsight, preventable. Almost every company could face potential liability when they suffer a breach.”
Shook, Hardy & Bacon
The Securities and Exchange Commission has also issued guidance on breach disclosures, but only a handful of companies have been pressured to comply.
Alfred Saikali, a partner at law firm Shook, Hardy & Bacon and co-chair of its data security and data privacy practice, doesn't think that the SEC changing that guidance to a formal rule would do much. Companies are already required to disclose breaches in their public filings where those breaches are considered material, he says. Companies that aren't disclosing breaches in their public filings are being asked why not by the SEC.
Breach disclosure, at the state level, is also complicated. Of the 46 states and U.S. territories that have breach notification laws on their books, many set different standards. Puerto Rico, for example, requires public notification within 10 days of a breach. Other states set the standard at 30 to 60 days.
Varying approaches by states mean that, when a large, high-profile breach happens, the victim often tries to comply with the “highest common denominator,” the state with the strictest requirements, with the understanding that meeting those requirements will likely satisfy the requirements of the less onerous state laws, Saikali says.
Companies need to rethink how employees are educated about the risks they may pose, Sjouwerman says. Compliance efforts need to be better aligned with security and IT functions. He cites the Sarbanes-Oxley Act's requirement that employees receive yearly security awareness training. “What are you going to do? Are you going to stick them in the break room and expose them to death by PowerPoint for 20 minutes? They will blank out and glaze over after five minutes,” he says. “You can now check the box on your compliance list, but that's the wrong way to do it.”
His suggestion: The IT department can send out a simulated phishing attack once a week, year-round. “Now you are creating a change in behavior and that is what you ultimately want to achieve,” he says
TARGET FIELDS QUESTIONS
The following is from an FAQ published on Target's Website.
In mid-December, we learned criminals forced their way into our system, gaining access to guest credit and debit card information. The investigation has recently determined that certain guest information was taken. That included names, mailing addresses, e-mail addresses or phone numbers. We have partnered with a leading third-party forensics firm who is thoroughly investigating the breach.
Has the issue been resolved?
Yes. We closed the access point that the criminals used when we discovered the breach on Dec. 15.
Does that information include social security numbers?
There is no indication that Social Security numbers have been taken.
Do you think you will find anything else?
We continue to conduct a thorough investigation and we are committed to updating you on developments that could impact you.
How could Target let all this credit and debit card information get accessed?
This unauthorized access is a crime, and we are taking it very seriously. While we can't provide specifics because the investigation is ongoing, we are working closely with the U.S. Secret Service and the Department of Justice to bring those responsible to justice.
How can I be assured you are taking the steps to protect my information in the future?
We are committed to making this right and are investing in the internal processes and systems needed to reduce the likelihood that this ever happens again. We have retained a leading third party forensics firm who is conducting a thorough investigation of this incident.
When did Target learn that certain guest information was taken?
This information was discovered as part of the ongoing investigation.
Is this occurrence of theft a new incident?
This theft is not a new breach. This development was uncovered in the course of the ongoing investigation. When we discovered the breach on Dec. 15, we moved swiftly to close the access point that criminals used and removed the malware they left behind.
Klein gives high marks to how Target has managed the breach aftermath thus far. Specifically, she thinks a Web portal with up-to-date information and resources was a savvy move.
Among the messages to consumers on that site:
PIN numbers are encrypted and can only be decrypted by an external, independent payment processor. Target offers assurances that the “key” needed to decrypt data never existed within its system.
Although CVV information was compromised, that data is not the same as the three-digit security code on the back of credit and debit cards. There are two types of CVV data: CVV, which is encoded on the magnetic stripe and CVV2, which is the three or four digit value that is printed on a card. Target says there is no indication that CVV2 data was affected.
Customers will not be responsible for fraudulent charges—either their bank or Target has that responsibility.
“They needed to have control over the message,” Klein said. “Open and honest communication is absolutely critical during a breach. The last thing you want to do is sugar-coat the message.”
Shareholders Take Aim
In most serious data breaches, companies must contend with a flurry of litigation, and Target is no exception. Saikali says shareholders have already filed an initial crop of class-action lawsuits against Target, and more are inevitable. Even if legal precedent may not provide them much chance of success, Target can hardly breathe easy, nor should other companies, he says.
“If plaintiffs succeed in shifting the focus away from the legal standard, every company should be very concerned, because so many data breaches are, in hindsight, preventable. Almost every company could face potential liability when they suffer a breach,” Saikali says.
When to go public with news of a breach is always a thorny issue for companies, and one that can affect shareholder lawsuits. If Target knew, or should have known, about the breach far earlier than it was made public, for example, yet failed to notify customers or the government, or failed to adopt common sense safeguards, it could take a huge legal hit. “The law in this area is still being developed, so there is less predictability as to what a court will do with these lawsuits,” Saikali says.
Companies can learn from Target's experiences, Saikali adds. If Target settles, or is held liable, other companies study the outcome as they try to avoid the same sort of conduct that led to the exposure. If Target is not held liable, it will likely be because they met the standard of adopting reasonable security safeguards and other companies will pay attention and try to adopt similar measures.