November 18, 2018

November 16, 2018

Subscribe to Latest Legal News and Analysis

Record-Setting Target Settlement Changes Expectations for Institutional Data Security

On May 24, 47 state attorneys general settled with Target for $18.5 million regarding its 2013 data breach. The implications of the agreement may be more far-reaching than many companies realize. The fact that nearly all attorneys general united their efforts to obtain the settlement implies that most states view the new standards set for Target as a framework for data security best practices going forward. The changes in policies and procedures for Target will likely become the de facto guidelines for businesses wishing to avoid regulatory action in the wake of a data breach.

The facts underlying Target’s breach appear to drive many of the settlement requirements. Instead of accessing Target’s gateway server directly through the retailer, cyberthieves gained access using credentials illegally obtained through a third-party HVAC vendor. The hackers then uploaded malware to steal customer data. Although Target’s security software sounded alarms as it recognized the malware, Target decision makers decided that no immediate action was warranted. Ultimately, the breach compromised the data of more than 70 million customers.

The ramifications of Target’s breach have been significant. In March 2014 Target’s most senior technology executive resigned. Following the breach, Target reportedly has incurred more than $200 million in various breach-related costs, including legal fees, and likely will spend an additional $10 million to settle a consumer class action. Perhaps more significantly, Target agreed to adopt advanced technical security procedures and complex administrative measures to rectify their vulnerabilities and prevent further breaches, including the following:

  • Implement a data security program including:

    • Segmenting cardholder/customer data from the rest of the computer network

    • Implementing password rotation and strength policies

    • Instituting two-factor authentication

    • Implementing access control and management

    • Monitoring file integrity

    • Whitelisting

    • Maintaining logs of network activity

    • Change controls

    • Adopting payment card security technologies (including encryption to protect data or to disable access to such data remotely in the event it is compromised).

  • Audit contractors and subcontractors for compliance with security programs.

  • Hire an executive to manage/oversee the security program.

  • Employ a qualified, independent third-party contractor to thoroughly and properly assess cybersecurity.

Some organizations, and particularly those with limited resources, may find aspects of the above measures challenging to implement either from a technical or a budgetary perspective. However, all entities that manage, process, maintain, or are otherwise involved in the transmission of consumer, client, or employee data should carefully consider the roadmap set forth in the Target settlement, and seek assistance to revisit their existing security policies and procedures, to implement new practices to best position themselves to avoid data breaches in the first instance, and to weather the storm if a security incident does occur.

The Target example underscores that having robust security software infrastructure alone is not enough to protect an organization. A holistic approach to security embracing technological, administrative and physical safeguards, together with strong policies and decision-making, is required within an organization to minimize the likelihood of a security event in the first instance and to respond swiftly and fulsomely if and when a breach occurs. To that end, a properly written and well-rehearsed data breach response plan provides key decision makers a protocol to help mitigate the severity and impact of future data breaches. The landscape has changed, and institutions will need to learn from Target’s experience and adapt accordingly.

© 2018 Neal, Gerber & Eisenberg LLP.

TRENDING LEGAL ANALYSIS


About this Author

Gregory J. Leighton, Intellectual Property & Technology Transactions attorney, Neal Gerber law firm
Partner

Gregory J. Leighton is a member of Neal Gerber Eisenberg’s Intellectual Property & Technology Transactions practice group and is also a registered patent attorney. Greg’s practice involves both patent prosecution and the protection and enforcement of various forms of intellectual property. One key focus of Greg’s practice is controversies regarding intellectual property rights in the chemical and life sciences areas. Some of his recent representative matters in this space include successfully representing clients in patent disputes before federal courts and the United States...

312-269-5372
Sarah E. Smith, Intellectual Property & Technology Transactions attorney, Neal Gerber law firm
Partner

Sarah E. Smith counsels clients on a wide variety of intellectual property matters, including trademark, trade dress, domain name, copyright and trade secret issues. Sarah has extensive experience in developing and implementing domain name registration and Internet monitoring and enforcement programs, and has assisted clients in reclaiming scores of domain names through negotiation, litigation and arbitration proceedings under the Uniform Domain-Name Dispute-Resolution Policy. Sarah also has substantial trademark licensing and associated transactional experience, and frequently advises clients on trademark clearance, prosecution and enforcement matters around the world. Sarah represents clients in litigation matters before the Trademark Trial and Appeal Board as well as in federal and state courts. Sarah also has experience in an array of commercial litigation matters.

Sarah is also a member of the Internet Governance and Contractual Relationships Subcommittee of the International Trademark Association’s Internet Committee, and she is also a founding member of the Neal Gerber Eisenberg Domain Name Expansion Team. With ICANN’s expansion of Internet top-level domain names to limitless possibilities, e.g., “.law,” “.news,” “.your brand,” our Domain Name Expansion Team stands ready to assist clients in obtaining top-level domain registries of their own and in contesting the problematic applications of others.

312-269-5257