On Monday, May 6, Target Chairman, President and CEO Gregg Steinhafel, a 35-year veteran of the company, lost his job in large part due to the Target data breaches from November 2013 to January 2014. He may be the first CEO of a major corporation to lose his job as a result of a data breach – but he will not be the last.
Steinhafel was a very highly regarded company leader who appears to have handled the breach crisis aggressively. He took the normal steps followed in these situations − immediately investigate the problem, notify law enforcement, notify customers, offer a 5-percent discount to customers who used Target’s branded debit and credit cards, and provide free customer credit monitoring − but the economic impact of the breach was just too substantial.
In December, Steinhafel revealed that a data breach compromised 40 million credit and debit card accounts between November 27 and December 15. Then, on January 10, the company said hackers also stole personal information − including names and phone numbers, as well as email and mailing addresses − from as many as 70 million customers.
Economic Impact: Since the breach, the company's sales, profit and stock price all have suffered. Target reported in February that its fourth-quarter profit fell 46 percent on a revenue decline of 5.3 percent as the breach scared off customers. In March, Target’s annual report reflected that the breach has spawned dozens of legal actions and that the company could not estimate how big the financial tab would be. The media coverage has been nonstop.
Monday Morning Quarterbacking: What happened and what could have been done?
Various stories have emerged. Target and many in the industry point to hackers stealing the electronic access credentials from an HVAC vendor as the source of the problem. Others indicate that the Target intrusion was the result of a series of attacks against Target’s POS systems over an extended period of time. They note the failure to update antivirus software as the likely cause. Other articles have indicated that months before the initial intrusion, personnel inside Target’s IT section warned management of potential vulnerabilities, but the company decided not to take immediate action because it believed it did not warrant immediate follow-up. The specific cause or causes probably will come out during the course of litigation.
However, the common thread here is that a more effective written information security program, or WISP, might well have prevented or limited the intrusions and it almost certainly would have saved Steinhafel’s job. Certainly, Target had extensive written security policies, but it appears that weaknesses in their program may have let them down. Effective WISPs are designed to catch, evaluate and respond to red flag warnings from IT. They are also living programs that continuously change with the changes in cyberthreats. For example, the U.S. Secret Service has been warning the industry for months that POS vulnerabilities are being targeted by hackers. Case law provides a clear example of what happens when company policies do not become the company’s living program.
Patco: The court’s willingness to evaluate and require a WISP was demonstrated in Patco Construction v. People’s United Bank (1st Cir. July 2012). There, hackers used malware to masquerade as the construction company and fraudulently withdraw more than $588,000 from the company’s bank account. Initially, a federal district court in Maine upheld the disclaimer of liability terms in the contract between Patco and the bank, and found in favor of the bank. However, in July 2012, the 1st Circuit overturned the district court and found that, while the bank was fully aware that its electronic banking was “high risk,” and implemented enhanced security as a result, it had neglected to effectively use its own security systems by failing to adopt security measures that, according to the court, were available and commercially reasonable under the circumstances.
Conclusion: This is an international problem. As the current cyberstorm continues, more large-scale computer intrusions will take place – around the globe. Even in the absence of individual national laws and regulations, corporate managers will be held to an increasingly high standard of data security and due diligence. It is not enough to have a WISP; however, your company needs a living, breathing security program that people actually follow when the alarms go off. Certainly investors will not give you a second chance to get it right. The target will be on their backs to protect company proprietary information, customer and employee personal information, and, in some cases, the critical infrastructure of their countries, from hostile technology, weak vendor contracts and negligent employees. Failure to protect shareholder value will continue to define whether the CEO stays or goes.