Target Breach: A Watershed EventPrivacy Attorney Assesses Incident Response
The breach at Target stores that may have affected as many as 40 million credit and debit card account holders is a watershed moment that could greatly raise awareness of cybersecurity risks, says privacy attorney David Navetta.
"It's a watershed moment because of the high-profile nature of the Target and the size of the breach," says Navetta, a partner at the Information Law Group. "... It will raise [breach] awareness because people often think of hacking situations online or losing your credit card information at e-commerce sites. But now, here we have a situation where people are physically going into the store, using their card ... and their data is being taken."
The high-profile incident could serve as a catalyst for more organizations in all business sectors to develop robust breach response plans, Navetta says in an interview with Information Security Media Group.
"That said, a plan before a breach can take you only so far," he says. "Every breach is a unique creature, and provides a lot of curve balls. ... And you can never anticipate [everything], even with the past planning."
Target hasn't shared details about the breach beyond what it reported Dec. 19 - that U.S. point-of-sales transactions conducted between Nov. 27 and Dec. 15 were likely compromised (see Target Breach: What Happened). The retailer fessed up only after media reports of the breach.
Navetta says he suspects that the delay in reporting might have been justified because Target was in a midst of an investigation to determine what went wrong.
"They probably had to go out with the best information that they had perhaps because this became a public event," he says. "They should continue with their investigation and make sure they understand the root cause of this breach. They should eliminate any vulnerabilities that may exist that allowed the breach to occur. And they should get a full picture of the actual scenario in terms of what was exposed and who was exposed and also finally confirm that it's no ongoing."
In the interview, Navetta:
- Discusses the impact of the breach on the debate over whether Congress should enact a national breach notification law; and
- Explains why offering breach victims free credit monitoring is not necessarily effective as a tool to stop charges from appearing on customers' invoices. (This interview was conducted before Target announced it would offer free monitoring to certain affected customers.)
- Addresses lessons all types of organizations could learn from the Target breach.
Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He's also is a certified information privacy professional.
Target Breach: A Watershed Event
ERIC CHABROW: What does the Target breach say about the nature of today's breaches, and for that matter, the growing sophistication of cybercrime?
NAVETTA: On some level I think it is a watershed moment because of the high-profile nature of Target and the size of the breach. But these point of sale breaches have been happening on a smaller level for quite a long time now, frankly, but they haven't got as much press. I do think it is interesting because it will raise awareness. People often think of hacking situations online and losing your credit card information on E-commerce sites, but now here we have a situation where people are physically going into the store, using a card, and their data is being taken.
Rules for Reporting Breaches
CHABROW: Is there any rule of thumb on how long an organization should take to notify stakeholders, customers in this case, of a breach?
NAVETTA: There is no necessary rule of thumb. There are some states that actually have deadlines. I think Florida for instance has a four to five day reporting deadline under HIPAA HITECH; it's under retailer situation, but there is a sixty day deadline. Usually there is kind of a vague standard about a reasonable, or most expedient, time frame to report. Now, the reality is supposedly that these happened sometime around Thanksgiving. We are upon the 20th of December here, and to be able get your arms around a breach of this magnitude and report on it, even the three or four week is a stretch oftentimes. I think that the reporting of this was probably triggered by media reports. I am sure they were in the middle of investigating everything and trying to gather as much accurate information as possible before reporting, and I think what is really important to know is that you don't want to go out and report a potential breach without clear information as to what happened. That is a pretty common approach here, because if you go out and state something that is not true, you may have to correct it or cause alarm that may be unwarranted. You have to be very careful in your forensic investigation to determine exactly what happened. Then, take that information and divert it into a letter that hopefully informs your customers as to what the situation is, as opposed to creating fear and hysteria when it may not be warranted.
Target's Reponse Letter
CHABROW: How do you assess the adequacy of Target's response and how were they forced to send a letter out earlier then they may have wanted to?
NAVETTA: It's a fairly typical response in this space, and it covers a lot of information that is required to be provided to individuals under various state breach notification laws. The response to me is appropriate. In terms of the credit monitoring, that is an altogether kind of difficult judgment call in certain breaches. The problem with credit card breaches and monitoring is that credit monitoring is not actually a useful tool for detecting credit card fraud. Basically, the bad guys are using accounts that already exist in your credit reports, and looking at your credit report really won't reveal the fraudulent use of a card necessarily. You might see a spike in one of your balances in a card, but the better thing to do is to look at your card statement. Then, you can look at unusual activity or transactions you haven't done as a consumer, and have an idea that fraud occurred. I would argue, and I've had this talk with certain regulators, that offering free credit monitoring is actually a distraction from the credit card breach, because the actual harm is more easily detectable in the statements that consumers receive. If you're sending them off to look at their credit reports, and they're not focusing on their actual statements, you're actually distracting them from what they need to do to protect their credit card statement.
What Should Target Do?
CHABROW: What should Target be doing right now?
NAVETTA: I anticipate that their investigation is not fully finished. They probably had to go out with the best information they had, perhaps based on the fact that this became a public event. They should continue their investigation and make sure that they understand the root cause of this breach. They should eliminate any vulnerabilities that may exist that allowed the breach to occur, and then get a full picture of the factual scenario in terms of what and who was exposed, and finally, confirm that it is not ongoing. If those are all the things going on in the background of the investigation, I imagine that Target has not fully finished. Then, they are going to have to work with their customer base. They will probably set up, if they haven't already, a call center to help answer additional questions and deal with reputational aspects of this. Target is a very high-profile brand and they don't want their customers to be upset. [They need to] have this situation helping their customers through it, setting up a clear communication line, and providing additional information if they find additional facts.
The other thing of course that is going to happen here is the threat of litigation and lawsuits. Many breaches never resulted in any kind of law suits, but when we get a high-profile breach of this magnitude with a brand name, I can anticipate that lawyers are already starting to get their complaints ready to file. I anticipate that they're also considering what their legal liability issues are, what their defenses may be, and trying to preserve information that may help defend them in a litigation. I'm sure they are also planning on having talks with various state regulators about the breach, and dealing with that fallout as well to let them know what is going on and reassure them that their citizen's interests are being looked after. With a breach of this size, all of these things are happening at the same time. I am sure it is very much a fire storm over at Target. I am sure that they have many people on this matter now working on all the various angles that need to be addressed. I think they'll probably be working for the next couple of months at least before then they have to potentially defend themselves in law suits and regulatory inquiries.
Plan in Place
CHABROW: Do some companies already have a plan in place?
NAVETTA: Many organizations anticipate, or basically assume, some day they will have some sort of breach. That is not an unfair assumption these days. If they had everything in order, they would have already put together an incidence response plan. That plan would be put together not only by the security professionals, but by legal, public relations, and the upper management. Hopefully they had that plan in place and are able to follow it. If it was done properly, it's going to make this process smoother. Now that said, the plan before a breach can only take you so far. It can help you understand what resources need to come into the equation to investigate and deal with the situation. It can help you and guide you on certain decisions, potentially around notification and other aspects of a breach, but every breach is its own unique creature and provides a lot of curve balls. In most cases, you can never really anticipate, even with the best planning. It's good to have a plan and to have people who understand it, who maybe have even tested the plan, but even so, that's not a full proof way to ensure that these things are handled 100 percent perfectly. It is very difficult with all the different situations, investigations and actors that are involved to fully vet out what is going to happen in any situation.
National Breach Notification Law
CHABROW: Is this a good example of why there is a need for a national breach notification law?
NAVETTA: I guess it depends on which angle you're coming from. I'm sure Target would rather deal with one law then forty-six state laws and several different types of regulators. Merchants and other entities that could be breached would prefer to have one set of laws that apply; it would make these situations much easier to deal with. You wouldn't have to deal with all these different variations and these laws. The other side of the equation is that many of the proponents of the national law have been looking for more stringent fines and penalties, requirements for credit monitoring, and other types of requirements that make these laws potentially more onerous to companies like Target. That has been the back and forth on the national breach notification law. I think there is still a big gap between the consumer interest and the commercial interest in terms of getting one of those national laws in place. I'm not sure if this will move the needle one way or another. We'll have to see as we go forward and we've already had massive breaches in the past that really haven't had much influence in terms of any kind of national law being past.
CHABROW: What are the kind of lessons that could be taken from this breach?
NAVETTA: Having a plan ahead of time is important, and I think the mindset of, "we're not going to be hit by a breach," has eroded quite a bit. People are now in the mindset of, "okay so what happens if there is a breach." I think that mindset is important for organizations to have these days. It doesn't matter what sector you are in, if you have sensitive information or valuable information, you can count yourself as a target. To not have understood what could happen in these situations ahead of time can be very detrimental. In terms of actually preventing the breaches, the common types of vulnerabilities that can be exploitable across wide slots of an organization really need to be looked at.