Target Breach Highlights the Importance of Business Vendor Management
By now, most people have heard of the Target hack, which potentially compromised 40 million credit and debit card numbers as well as 70 million other records, including names, addresses, email addresses, and phone numbers of Target shoppers.i However, what many people do not know is how the retail giant was breached in such spectacular fashion (and the answer may surprise you). This breach highlights the critical importance of business vendor management.
Target, like most retailers, had its HVAC system managed by a third-party contractor. The HVAC contractor was connected to the Target network for the purposes of monitoring energy consumption and temperatures in stores to save on costs and alert store managers if temperatures in the stores fluctuate outside of an acceptable range.ii
Using the HVAC contractor’s computer system as an entry point, hackers breached the Target network, installing malware, which then permitted the hackers to access millions of records. Of course, a number of lawsuits were then filed against Target by consumers and banks as a result of the breach.
Recently, Target announced it had reached a $39.4 million settlement with a number of banks, including Mastercard.iii This is just the latest in a string of costly lawsuits. In March, Target settled the class action suit brought by customers for $10 million,iv and, in August, with Visa for $67 million.v Target also saw a 46% drop in profits in the fourth quarter of 2013, compared with the year beforevi and CEO, Gregg Steinhafel, a 35-year employee, was oustedvii — a departure which cost the company approximately $61 million.viii All in all, Target’s failure to properly oversee and audit a business partner’s cybersecurity practices cost the company millions and impacted its business operations for years after the incident.
Basic preventative steps, in five essential areas, could have been taken to greatly reduce the cost and minimize the impact of a breach.
- The first area is vendor/business partner management. It is critical for companies to ensure that vendors and business partners are properly handling and protecting sensitive data. To ensure the company’s maximum protection before entering into a vendor/business partner relationship, the company should consult with counselix to evaluate the language in its business contracts and to maintain a right to audit the cybersecurity practices of its vendors. This will help ensure the company’s networks are not compromised by the carelessness of a vendor.
- The second area is insurance. Companies can minimize cyber risk through proper insurance but only if that policy adequately covers the entirety of a company’s cybersecurity risks.
- The third area is employee training and developing a culture of cyber awareness.
- The fourth area is internal IT protocols, software and monitoring.
- The fifth area, and perhaps the most important, is having an emergency response plan and implementing a team for handling breaches. Such a plan must include the identification of outside vendors that may be required in the event of a breach, as well as a plan for restoring business operations as soon as possible.
In short, cyber and data security breaches affect companies of all sizes and are only becoming more ubiquitous in an increasingly connected business environment. Given how common these kinds of threats are becoming, companies must take action before, during, and after attacks to minimize costs and ensure they are prepared.
i Brian Krebs, “The Target Breach, By the Numbers,” KrebsOnSecurity, (May 14, 2014).
ii Brian Krebs, “Target Hackers Broke in Via HVAC Company,” KrebsOnSecurity, (February 14, 2014).
iii Jonathan Stempel, “Target in $39.4 Million Settlement with Banks Over Data Breach,” Reuters, (December 2, 2015).
iv Peter Cooney “Target Agrees to Pay $10 Million to Settle Lawsuit From Data Breach,” Reuters Tech, (March 19, 2015).
v Ahiza Garcia, “Target Settles for $39 Million Over Data Breach,” CNNMoney, (December 2, 2015).
vi Brian Krebs, “The Target Breach, By the Numbers,” (May 14, 2014).
vii Eric Basu, “Target CEO Fired - Can You Be Fired If Your Company Is Hacked?,” (June 15, 2014).
viii Paul Hodgson, “Target CEO’s Golden Parachute: $61 Million,” (May 21, 2014).
ix It is worth noting that consulting an attorney or allowing an attorney to coordinate may entitle your company to the protections of the attorney-client privilege. See Upjohn Co. v. United States, 449 U.S. 383 (1981) (noting that communications could be privileged if (1) the communications pertain to matters within the scope of the employee’s corporate duties, and (2) the employee is aware that the information is being furnished to the attorney to enable him or her to provide legal advice to the corporation).
- PROFESSIONAL LIABILITY CLIENT ALERT: Pennsylvania Mulls Repeal of Medical Malpractice Venue Restrictions; Both Plaintiff and Defense Bars Claim Victory From Study
- Illinois Fourth District Appellate Court Overturns Asbestos Verdict Based On Lack Of Causation
- CYBER RISK CLIENT ALERT: The Constitutional Argument Against BIPA
- CYBER RISK CLIENT ALERT: The SHIELD Act Requires Corporations to Implement Cyber-Security Measures
- New Michigan DIFS Order Raises More Questions for Auto Insurers
- Proposed Hours of Service Rules: Balancing Safety and Economy
- Ninth Circuit Holds BIPA Class-Action Plaintiffs Have Article III Standing
- PROFESSIONAL LIABILITY CLIENT ALERT: Attorney Liability Under the FDCPA
- Five Words & Phrases Defense Attorneys Should be Mindful of in Trucking Litigation
- CYBER RISK CLIENT ALERT: BIPA Cutbacks Stalled in Springfield - For Now.
- Professional Liability
- Class Action
- Insurance & Reinsurance Litigation & Counseling
- Complex Commercial Litigation
- Insurance Coverage
- Cyber Risk & Liability
- Toxic Tort
- Professional Development
- Medical Negligence & Healthcare Liability
- Pharmaceutical & Medical Device Litigation
- Product Liability
- Construction Litigation & Counseling
- Employment Litigation & Counseling
- Discrimination, Harassment & Hostile Workplace Claims
- Social Media & Privacy
- Workers' Compensation