In brief - Shareholders sue directors of Target following major data breach

Two shareholder actions have recently been filed in the US against the directors and officers of Target following a major data breach, alleging that they failed to ensure the company had adequate data security and that they made false and misleading statements and failed to take adequate steps to protect the company in the wake of the breach.

Two shareholder derivative actions brought against Target's senior managers and directors

Shareholder derivative actions are lawsuits brought by shareholders in a company, on behalf of the company. They are often brought when a company decides not to pursue a claim it is entitled to. Two shareholder derivative actions have been filed in the USA against the senior managers and directors of Target in respect of a recent data breach.

We believe these are the first shareholder derivative actions brought against directors and officers which allege inadequate security and a subsequent failure to manage a data breach appropriately.

Directors and officers should anticipate cyber attacks

Directors and officers should note that:

  • The incidence of cyber security breaches continues to increase.
  • Directors and officers should inform themselves of their company's exposure to cyber risks and ensure that appropriate policies, IT infrastructure and incident management strategies are in place.
  • They should expect that a cyber security risk will affect their company one day.

Sophisticated malware captures credit card and personal information from point-of-sale terminals

In late 2013 Target, one of the world's largest retailers, was the victim of a sophisticated cyber attack. It appears that hackers infiltrated Target's network using credentials stolen from a contractor; the contractor had credentials allowing it to access Target's online invoicing system.

The hackers were able to map Target's network and install sophisticated malicious software (malware) on point-of-sale terminals in Target stores across the USA. The malware captured credit card information and customer personal information. This was encrypted and then transmitted to the hackers.

Company alerted to data breach by US Department of Justice

Target was first alerted to the attack by the US Justice Department (DOJ) on 12 December 2013. It immediately began an internal investigation and met with the DOJ on 13 December.

Forensic investigators were retained on 14 December; the majority of the malware was removed the next day. Target then began liaising with payment processors and payment card networks with a view to making a public statement.

Details of 40 million credit cards and up to 70 million customer records stolen

On 18 December 2013, a widely-read security blog announced Target's investigation into the as-yet unpublicised breach. The next day Target announced that hackers had stolen the details of 40 million credit cards used in Target stores between 27 November 2013 and 15 December 2013. Target initially noted that PIN numbers had not been compromised; it later admitted that encrypted PIN numbers had been copied.

On 10 January 2014 Target admitted that up to 70 million customer records containing personal data (such as names, addresses, phone numbers and email addresses) had been copied.

Target offers customers free credit monitoring and identity theft protection

Target has assured customers whose credit card information was stolen that they will not be responsible for fraudulent charges. It has offered all customers free credit monitoring and identity theft protection for one year.

Stolen credit card information sold online

Fraud analysts have ascertained that the credit card information stolen in the Target data breach has been sold online via websites known as cardshops. A malicious purchaser would typically intend to use the card details to purchase goods before the card could be cancelled.

At present there is no information available on whether the customer records containing personal information have been used to commit identity theft. In our view the risks to consumers of identity theft are far more severe than the risks posed by credit card fraud.

Significant and growing costs for Target as a result of data breach

As we stated above, two shareholder derivative suits have named the board as defendants in respect of the data breach. Further difficulties facing Target at this point as a result of the data breach include:

  • regulatory investigations and associated enforcement activity
  • civil litigation costs in respect of other class actions
  • the costs of forensic IT investigators, consultants, public relations and legal advisers
  • the costs of providing credit monitoring and identity theft protection to consumers
  • the cost of upgrading infrastructure and other remediation expenses

In a statement released on 26 February 2014, Target declined to estimate the future costs of the breach, but noted that it had incurred expenses of $61 million in respect of the breach.

Target currently expects to receive insurance payments of $44 million. The $61 million figure incorporates an estimate of the cost of negotiating a settlement in some of the payment card network claims made against Target.

Shareholder derivative actions allege that directors and officers failed in their duties

Both of the shareholder derivative actions were filed in the US District Court in Minnesota, on 21 January and 29 January 2014. The pleadings allege that the directors and officers failed to discharge their duty to Target by:

  • failing to ensure that Target had adequate cyber security measures in place
  • making false and misleading statements in the wake of the data breach
  • failing to take adequate steps to protect Target in the wake of the data breach

It is presently too early to say whether these shareholder derivative actions have any chance of succeeding.

What should company directors do in light of growing cyber security risks?

It is likely that 2014 will see further data breaches as significant as those seen in 2013. In our view, the following observations are relevant to all organisations.

Cyber risks are intensifying and their costs are significant

The recent experience with Target should indicate to all that in addition to the primary risk of a cyber attack itself, there are substantial secondary risks such as litigation brought by affected third parties. Directors should:

  • inform themselves of their company's exposure to cyber risks
  • ensure that the company has implemented appropriate security measures and risk mitigation strategies

Appropriate cyber security insurance is an important measure for managing the fiscal risk associated with data breaches.

Create a data breach management plan before a data breach occurs

The shareholder derivative suits both allege that Target failed to manage the data breach appropriately. This highlights the importance of the response to any data breach.

The extent to which such criticism is reasonable and warranted remains to be seen. It is likely that it will only be possible to assess this fairly once the forensic IT investigations have concluded.

Liaise with data breach service providers and insurers before a breach

Most businesses are unlikely to have sufficient in-house personnel and resources to handle a data breach appropriately. It could be necessary to retain specialists in forensic IT, public relations and specialist lawyers.

If a cyber security policy has been purchased, the insurer may direct the use of preferred service providers. It is therefore advisable to discuss which service providers are acceptable to the insurer and the insured prior to a breach, so that if a breach occurs, specialists can be brought in promptly to assist.

Insurers may wish to review the data breach management plan during the underwriting process.

Importance of using "depth in defence" in IT security

The increasing sophistication of hackers requires a new approach to IT security. Previously, some organisations may have adopted a "perimeter" model of defence, which focuses on preventing unauthorised access to the secured systems.

Systems built with the idea of "depth in defence" in mind have multiple features which provide security, so that a hacker who penetrates the perimeter does not enjoy unrestricted access to all network-accessible resources and information.

Target a victim of state-of-the-art malware designed to avoid detection

The Target data breach involved sophisticated malware which had been customised specifically for the attack upon Target's network. The malware was designed to circumvent firewalls, evade anti-virus and other intrusion detection programs and to cover its tracks.

This data breach should remind directors and officers that they cannot afford to rely upon their current IT security systems, however up to date they may be. While it is important for corporations to continue to update and invest in state-of-the-art IT security systems, they are not a panacea.

In a cyber attack the targeted organisation will generally find itself on the back foot. Directors and officers need to ensure that the corporation maintains a cyber attack management plan which facilitates the prompt mitigation of an attack's consequences.