One of the biggest hacks in history was the Target credit hack of winter 2013, which affected approximately 60 million people. Four years later, Target is finally putting the situation behind, settling legal action brought to it by 47 states. The amount: $18.5 million.
This does not include the many millions the Minnesota-based retailer paid to credit card company Visa, victims, banks, and others, which pushes the total amount of legal fines and settlements to well over $100 million. (It also doesn’t include such intangibles like the hit to its brand’s goodwill; money Target spent trying to find how it was attacked; money fixing up its security issues; etc).
Data breaches are expensive to deal with, as the Target and other incidents reveal. So far, so normal: the news about Target’s settlement is non-news.
Except there is a twist. Under a section termed “Specific Safeguards” of the settlement, Target agrees to specific data security protocols.
Granted, you can find similar language in other agreements signed by many companies: the company agrees to use encryption anywhere sensitive data is stored, it promises to do a better job training employees, etc. But what Target is agreeing to is much more specific in comparison. For example:
- “TARGET’s Cardholder Data Environment shall be segmented from the rest of the TARGET computer network,” or,
- “TARGET shall deploy and maintain controls, such as, for example, an application whitelisting solution, designed to detect and/or prevent the execution of unauthorized applications…“
There’s more of that where it came from.
Siloing data? Whitelisting? This type of language you expect from IT, not a group of people who spent time trying to pass the bar. It’s not inconceivable that IT experts were hired as part of the settlement drafting process, or that the AGs (or their underlings) know their way around digital data security, and thus the settlement language reflects that.
However, such specific details were inexistent in the past. It almost seems as if, realizing that the past 10 years of suing companies over data breaches has changed nothing, the government is now taking charge and including basic data security specs that companies should follow, minimizing any wiggle-room and loopholes for the lack of concreteness in wording.
There will be detractors to this: codifying certain technologies into law today causes problems if the law doesn’t keep up with progress. Conceivably, you could run into a situation where an offending party is protected by law despite not implementing adequate security. An example: a law passes requiring that a certain encryption algorithm be used, but a vulnerability in the code that cannot be fixed is highlighted soon after. Most companies switch to a different type of encryption but not all do. Subsequently, these stragglers are hacked using that vulnerability but are legally protected because the law wasn’t updated in time.
The good news in the Target case is that a settlement, while having legal effect, is not law. So, no unintended consequences there.
In addition, it sends a signal to other companies on what is acceptable and what isn’t. If Attorneys General across the continental USA slammed a Fortune 500 company for, for example, not siloing data, then it’s not inconceivable that they’ll do the same when they re-encounter a similar situation. Pointing out specific practices and technologies in settlements should provide ammunition to IT executives who try to implement them in the enterprise but find themselves hamstrung by higher-ups.
Related Articles and Sites: