Almost every day there is a data breach in the news. Companies like Yahoo, Linkedin, Adobe, JP MorganChase, and even a US voter database with over 191 individuals details, have all been subject to breaches through various methods. With all the money and security technology at their disposal, these breaches still seem to happen, whether through lapses in security, human error, or malicious internal leaks. While the goal is obviously to prevent breaches in the first place, if they do happen - who is at fault?
Let's first look at one of the most infamous breaches in recent times - U.S. mega-retailer Target. They are one of the largest retailers in the US, and third largest in the world based on sales. They have 1,795 stores across North America, and see almost 3 million people pass through their doors on a daily basis; needless to say, they are a data goldmine. In fact, their data is so in-depth that they once (in)famously discovered that a teen customer was pregnant before she'd even announced the news to her family. With such a vast amount of data to protect, their IT department wisely realised that they were a target (pardon the pun!) and invested in a security monitoring system called FireEye. Unwisely, on the 30th of November, 2013, when that fancy new security system notified their IT department that malware had been detected on their system, they decided to ignore it.
Fast forward to the 13th of December, two weeks after the malware was first detected, when Target received a call from a journalist called Brian Krebs. Krebs wanted to let them know that he'd stumbled across a large, fresh batch of credit cards being sold on underground marketplaces. The cards all had one significant thing in common - they had been used at Target from late November to mid-December.
During their busiest shopping period of the year, Target knew they had been infected, and chose not to react.
In total, over 70 million individuals had their account data, including full names, credit and debit card numbers, expiration dates, CVV codes, and even PIN data stolen, right under Target's nose. Recent estimates expect Target to be liable for over $3b USD. More than 90 lawsuits have been filed against the retailer by both customers and banks, and their profit for the holiday shopping period fell almost 50%.
When Target Chairman/President/CEO Gregg Steinhafel was asked any specific questions about the incident, he had this to say: "Target was certified as meeting the standard for the payment card industry in September 2013...". In other words, "We met the standard - what else do you want from us?" The answer to that is increasingly difficult to answer, yet couldn't be more relevant to today's companies.
Demonstrated by what is known as 'negligence per se', if there's a law, regulation, or widely adopted industry standard, then failure to meet said standard is automatically negligence - but achieving compliance with that law or standard is not enough to prove that you weren't negligent.
What if Target had never purchased FireEye - is ignorance an excuse? Unfortunately not. Where the law states you must take reasonable care to protect your customers' data, that means utilising the tools available, whether or not they are an 'industry standard'. In the rapidly advancing security marketplace, this means continuously evaluating projects and solutions that were previously deemed too expensive or unnecessary. The recent explosion of augmented reality game Pokemon Go only served to show how quickly technology can be adopted - what is out of reach one week might be vital to the company the next, so you have the responsibility to always make sure your company is ahead of the curve.
While proper prevention and protection measures should always be in place to defend your company, breaches can happen - when they do, make sure you have taken the precautions necessary to know that you have done all you can to protect your data. Your customers (and insurers!) will thank you for it!