Target Found Negligent in Data Breach Prevention

Sue Marquette Poremba
Slide Show

Five Myths Holding Your Security Program Back

A recent court decision about the Target breach should have businesses of all sizes taking note.

A Minnesota judge found Target negligent in the breach and said it can be held responsible for financial damages. Infosecurity Magazine quoted the judge:

“Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” Magnuson wrote in his ruling. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”

This decision led Brian Foster, CTO of Damballa, to pose an interesting question, one that anyone who makes security-related decisions for their company should think about:

Do you immediately take devices off your network when you receive an alert from a prevention tool? Do you ever automatically block a device because of one alert?

Foster then hints of an even larger concern from an upcoming Ponemon study: Security professionals stated that they deal with approximately 17,000 security alerts per week, but only 19 percent of them are reliable. It’s already difficult enough to pinpoint a real attack. Now I anticipate the Target ruling putting companies even more on edge, knowing that after a breach, they could be under a lot more scrutiny and find themselves facing additional lawsuits.

As I was looking at the multitude of 2015 security predictions that I’ve received over the past couple of weeks, I noticed a few in which the Target breach and the court ruling may have a direct impact.

First, Chris Petersen, CTO and co-founder of LogRhythm, told me that we should expect more companies to inquire about cybersecurity insurance, and as a USA Today article echoed, cybersecurity insurance isn’t just for the “big guys.” Small and midsize businesses are just as vulnerable to an attack and need to consider protection just to keep the doors open.


Second, Steve Durbin, managing director of the Information Security Forum, says we need to pay more attention to the risks involving third parties, stating in an email comment:

Over the next year, third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability. Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans or negotiations.  And this thinking should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers, your lawyers and accountants, all of whom share access oftentimes to your most valuable data assets.

Finally, Benjamin Caudill, founder and principal consultant at Rhino Security Labs, thinks that this year our lawmakers need to step up, telling me in an email:

At the moment, breach notification requirements and information security regulatory standards are patchy, antiquated, and fall short of what's needed. Even the health care industry, which stepped ahead of the curve with HIPAA, still has a lot of room for improvement. There's a need for laws that make sure that breached companies inform victims in a prompt and helpful manner, and an even more urgent requirement for laws which set minimum information security standards and guidelines. Expect to see information security issues come to the fore in courtrooms and senates around the world.

Target may not be the only company to be found negligent, as more and more companies find themselves the victim of a cyberattack. Is your company prepared in case it happens to you?

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba

Add Comment      Leave a comment on this blog post
Dec 12, 2014 12:28 PM Ulf Mattsson Ulf Mattsson  says:
So the ruling is - “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” Magnuson wrote in his ruling. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.” I find the ruling worrisome and I do not think that this will help the issue with data breaches. The approach to “disable one of the security features” is very common in the industry and other companies just haven’t been hit yet. The Target security team may have received a large volume of security alerts on a daily basis, which would have made it tough to have singled out that threat as being particularly malicious. We know that less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report by Verizon. Detection by external entities unfortunately increased from approximately 10% to 25% in the last three years. I think that we need to proactively secure sensitive data itself and not rely on monitoring systems to catch attackers. Ulf Mattsson, CTO Protegrity Reply
Dec 12, 2014 12:32 PM Ulf Mattsson Ulf Mattsson  says:
Target was hit by malware and another concerning fact is that McAfee Labs researchers have analyzed threats and seen a steady growth in malware. Sophisticated malware can be difficult to detect and poses as approved legitimate software. Even if the malware is detected it could be hard to notice in the noise malware detection systems. I suggest that we should rethink our approach to data security. We need to think more like a hacker that is trying to steal our sensitive data across any point in the entire data flow. I think it is time to take another, more data-centric, approach based on securing the data itself. Ulf Mattsson, CTO Protegrity Reply
Dec 12, 2014 12:33 PM Ulf Mattsson Ulf Mattsson  says:
The question is how to protect the data from persistent, intelligent threats while preserving its value to the enterprise. To reach the goal of securing the data while preserving its value, the data itself must be protected at as fine-grained a level as possible. Securing individual fields allows for the greatest flexibility in protecting sensitive identifying fields while allowing non-identifying information to remain in the clear. Using data protection methods such as tokenization can also allow businesses to preserve the type and length of the data, as well as de-identifying only part of the data fields, while leaving the relevant parts in the clear, such as exposing a birth year rather than the entire date. This will keep the data usable for most business processes, while helping to protect the confidentiality of data and privacy of the individuals who make up the data. This data-centric approach can also protect sensitive data across the entire flow across all different silos. We may not be able to completely prevent hackers from stealing sensitive data, but we can make it far more difficult for them to cause significant damage with it. Ulf Mattsson, CTO Protegrity Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.