Target Breach Highlights the Importance of Business Vendor Management

by

By now, most people have heard of the Target hack, which potentially compromised 40 million credit and debit card numbers as well as 70 million other records, including names, addresses, email addresses, and phone numbers of Target shoppers.i However, what many people do not know is how the retail giant was breached in such spectacular fashion (and the answer may surprise you). This breach highlights the critical importance of business vendor management.

Target, like most retailers, had its HVAC system managed by a third-party contractor. The HVAC contractor was connected to the Target network for the purposes of monitoring energy consumption and temperatures in stores to save on costs and alert store managers if temperatures in the stores fluctuate outside of an acceptable range.ii

Using the HVAC contractor’s computer system as an entry point, hackers breached the Target network, installing malware, which then permitted the hackers to access millions of records. Of course, a number of lawsuits were then filed against Target by consumers and banks as a result of the breach.

Recently, Target announced it had reached a $39.4 million settlement with a number of banks, including Mastercard.iii This is just the latest in a string of costly lawsuits. In March, Target settled the class action suit brought by customers for $10 million,iv and, in August, with Visa for $67 million.v Target also saw a 46% drop in profits in the fourth quarter of 2013, compared with the year beforevi and CEO, Gregg Steinhafel, a 35-year employee, was oustedvii — a departure which cost the company approximately $61 million.viii All in all, Target’s failure to properly oversee and audit a business partner’s cybersecurity practices cost the company millions and impacted its business operations for years after the incident.

Basic preventative steps, in five essential areas, could have been taken to greatly reduce the cost and minimize the impact of a breach. 

  • The first area is vendor/business partner management. It is critical for companies to ensure that vendors and business partners are properly handling and protecting sensitive data. To ensure the company’s maximum protection before entering into a vendor/business partner relationship, the company should consult with counselix to evaluate the language in its business contracts and to maintain a right to audit the cybersecurity practices of its vendors. This will help ensure the company’s networks are not compromised by the carelessness of a vendor. 
  • The second area is insurance. Companies can minimize cyber risk through proper insurance but only if that policy adequately covers the entirety of a company’s cybersecurity risks. 
  • The third area is employee training and developing a culture of cyber awareness. 
  • The fourth area is internal IT protocols, software and monitoring. 
  • The fifth area, and perhaps the most important, is having an emergency response plan and implementing a team for handling breaches. Such a plan must include the identification of outside vendors that may be required in the event of a breach, as well as a plan for restoring business operations as soon as possible. 

In short, cyber and data security breaches affect companies of all sizes and are only becoming more ubiquitous in an increasingly connected business environment. Given how common these kinds of threats are becoming, companies must take action before, during, and after attacks to minimize costs and ensure they are prepared.

i Brian Krebs, “The Target Breach, By the Numbers,” KrebsOnSecurity, (May 14, 2014).

ii Brian Krebs, “Target Hackers Broke in Via HVAC Company,” KrebsOnSecurity, (February 14, 2014).

iii Jonathan Stempel, “Target in $39.4 Million Settlement with Banks Over Data Breach,” Reuters, (December 2, 2015).

iv Peter Cooney “Target Agrees to Pay $10 Million to Settle Lawsuit From Data Breach,” Reuters Tech, (March 19, 2015).

v Ahiza Garcia, “Target Settles for $39 Million Over Data Breach,” CNNMoney, (December 2, 2015).

vi Brian Krebs, “The Target Breach, By the Numbers,” (May 14, 2014).

vii Eric Basu, “Target CEO Fired - Can You Be Fired If Your Company Is Hacked?,” (June 15, 2014).

viii Paul Hodgson, “Target CEO’s Golden Parachute: $61 Million,” (May 21, 2014).

ix It is worth noting that consulting an attorney or allowing an attorney to coordinate may entitle your company to the protections of the attorney-client privilege. See Upjohn Co. v. United States, 449 U.S. 383 (1981) (noting that communications could be privileged if (1) the communications pertain to matters within the scope of the employee’s corporate duties, and (2) the employee is aware that the information is being furnished to the attorney to enable him or her to provide legal advice to the corporation).

Get Updates By Email

Blog Contributors