TwitterFacebookEmailRSS

Target Settles Out

DISCLAIMER: This post is based on preliminary reports from press accounts without having reviewed the full and final settlement terms.

It’s no secret, I’d like to see a more “cyber secure” nation. If you’ve read some of my past posts, you’ve probably heard me struggle with the effects of giving incentives (right, wrong and outright “disincentives”) to both every day folks and security pros to help improve our cybersecurity posture.   Earlier this month I gave a (dry even by sauvignon blanc standards) synopsis of some legislative developments as legwork for a following discussion on the incentives government gives and industry responds (or doesn’t respond) to in order improve our collective security. At least that was “the plan.” Skipping ahead a few steps, but definitely related, we have more developments in the Target data breach litigation.

As of this writing, Target appears poised to settle litigation over the massive 2013 data breach of their IT systems for a total of $10M (plus up to $6.75M in fees to settlement class counsel.) The breach affected 40 million accounts and up to 110 million individuals. From an “industry incentives” point of view, there are some mixed messages about security incentives in this news.

STANDING –Traditionally, cases like this are dismissed early in the process on the basis that cardholders and customers lack standing to sue because they suffered no actual, demonstrable harm as a result of the breach. The Target case (as one of a recent “four-pack” of cases indicating a coming change in this view of standing, see “CASES” below) is somewhat notable from the standpoint that it survived a standing challenge. Or as I heard defense counsel recently quip, “It’s getting to the point where I may actually have to defend one of these cases on the merits soon.” Talking incentives, this seems to be a clear indicator courts are giving more weight to favoring standing on likelihood of harm to customers grounds.

ACTUAL HARM – Surviving a challenge to standing hasn’t exactly paved a road to compensation, however. Let’s pause for a moment to do some math. Assuming a maximum potential affected class of 40 million accounts and/or 110 million individuals, Target and plaintiffs’ counsel are contemplating 25¢ or 9¢ in full-class compensation respectively? Not exactly. The low compensation to class member ratio probably lies in the likely difficulty class members will face in proving they’re entitled to compensation under the terms of the settlement. Individuals must:

  • Prove they used a debit or credit card at a US Target store (not the Target.com website) over the 19 day range of November 27, 2013 through December 15, 2013 [i]
  • Declare if they actually received a breach notice or if they simply believe their information was compromised [ii]
  • And must demonstrate they experienced at least one of the following:
    • Unauthorized, unreimbursed charges on their credit or debit card
    • Time spent addressing those charges
    • Fees to hire someone to correct their credit report
    • Higher interest rates or fees on the accounts
    • Credit-related costs
    • Costs to replace their identification, Social Security number or phone number
    • Loss of access or restricted access to funds

If you set the “way-back” machine to last December and my comments on Breach Fatigue (specifically, the difficulty in collecting and assessing information about your exposure as an “included individual” in a breach) it’ll be interesting to see how many people actually get compensation as a result of this settlement. But settlements are all about controlling risk and outcomes. While Federal District Judge Paul Magnuson got to decide that standing existed for litigation to proceed, Target gets to decide the parameters of what constitutes “actual harm” with these settlement compensation requirements.

DUTY OF CARE/SECURITY IMPROVEMENTS – It’s worth noting that this settlement affects consumer negligence claims that survived dismissal. Why’s that important? Because if the litigation proceeds to trial it then opens up the possibility the court carves out a duty of care for security and handling of customer data for data stewards like Target. Again on the notion of controlling risk, it’d be risky to roll the dice on that standard being developed at Target’s peril if an affordable alternative exists. It’s also somewhat unique that as part of the settlement, Target has agreed certain security improvements be imposed as part of the court order. Similar to controlling the terms of determining actual harm, Target gets to control the dialogue around what steps should be taken in light of the breach. Settlement steps include:

  • Appointing a Chief Information Security Officer
  • Maintain a security program that identifies risks to shoppers’ personal information
  • Have a process for monitoring security risks
  • Give security training to employees

To be fair, as a level 1 PCI merchant with nearly $52B in market cap, you could probably argue that these are “Security 101” steps for such an organization. And most, if not all, were probably already implemented between the time of the breach and the settlement. [iii]  But by including these security improvements in the final order, we are getting some market indicators of thoughts around an evolving duty of care regarding security, even if this particular settlement provides no acknowledgement or precedent to that effect.

With new info from the Target consumer case regarding valuation (40M consumers and payout likely far south of the maximum $10M), standing (broader inclusion), actual harm and security duty of care (negligence claims allowed to proceed and parties including security improvements as part of order), are these more and better incentives to secure information or is this just an exercise in post breach risk management?


CASES

  • In re Adobe Sys. Privacy Litig., F. Supp. 2d, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014) – expansive treatment of “standing”, accepting notion of “increased risk of future harm” & cost of steps to mitigate fraud & malfeasance.
  • FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d (D.N.J.2014) – Refusal to dismiss claims and FTC contention that “reasonable” steps were not taken to protect data.
  • In re LinkedIn User Privacy Litig., 2014 WL 1323713 (N.D. Cal. Mar. 28, 2014) – for paying premium users, payment of fee with misrepresentation of own privacy policy gives rise to standing

 

[i]  Can’t help but wonder then (here we go again with the math…) for a breach scope of 40M compromised accounts, does citing this specific date range mean that 12.6% of the US population (2013) shopped at Target using credit/debit over those 19 days??

[ii]  As discussed in the opening disclaimer, I’m not intimately acquainted with the 97 page potential settlement doc, but I’m guessing not receiving a notification will be a barrier to receiving compensation.

[iii]  For example, Target appointed Brad Maiorino CISO last summer.

Cybersecurity: Recent Legislation

I know, talking legislation is sexy stuff. But a short look back at some recent developments will be foundational to some important coming discussions.

The past several months have been packed with Cybersecurity legislation. Law making is inherently an iterative process and at the risk of sounding cynical, despite all the activity it’s fair to say we haven’t covered much new ground in 2015. But don’t interpret the following synopsis as cynicism. The legislation is absolutely indicative of substantive forward progress, but I feel there’s an opportunity at hand for larger leaps forward. A short recap of recent legislation and recurring themes to frame a later discussion:

Private Sector Information Sharing: 2015’s State of the Union address included a section focusing on Cybersecurity, specifically with a call for better efforts to “integrate intelligence.” Less than a month later, the President would raise that concern again at a Cybersecurity and Consumer Protection Summit. The summit featured the introduction of an Executive Order (EO) “Promoting Private Sector Cybersecurity Information Sharing.” Information sharing is hardly virgin ground for Cyber legislation.[i] The call for Cybersecurity Information Sharing and Analysis Organizations (ISAO) can be found in the Homeland Security Act of 2002, the 2013 State of the Union Address and the 2013 and 2015 versions of the proposed Cyber Intelligence Sharing and Protection Acts. The 2013 State of the Union Address also gave rise to its own EO (EO 13636) calling for the creation of a framework outlining processes for voluntary private sector information sharing. Two of four Cybersecurity bills passed late in 2014 called for similar collaboration, the Cybersecurity Enhancement Act and the National Cybersecurity Protection Act. Last month’s EO would add additional detail to ISAOs calling for formalized changes and updates to sharing policy as well as the creation of a non-government ISAO Standards Organization. If recent legislation has a predominant theme it’s “Please share…pretty please??”

Cyberspace as Critical Infrastructure: Legislation has also emphasized the protection of U.S. Cyberspace as key to economic, military and national security stability. Several sectors of U.S. Cyberspace were therefore defined as critical infrastructure in the Homeland Security Act of 2002. Provisions were made for critical infrastructure protection (CIP) in 2003’s Homeland Security Presidential Directive-7. Those CIP prescriptions were further refined in Cybersecurity guidance of 2013’s EO 13636 (titled Improving Critical Infrastructure“) & resiliency prescriptions of Presidential Policy Directive 21. And the Cybersecurity Enhancement Act of 2014 once again highlighted the importance of our cyber assets and infrastructure to American prosperity and well being. Second theme: “This stuff is important.”

Privacy and Civil Liberties Are Essential: There have been two recent long form attempts to describe privacy rights and civil liberties in Cyberspace, 2012’s Consumer Privacy Bill of Rights and last week’s 2015 version of the Consumer Privacy Bill of Rights. In the span between those two offerings preserving privacy has also been a stated outcome of 2013’s EO 13636, this year’s EO Promoting Private Sector Cybersecurity Information Sharing and The National Cybersecurity Protection Act of 2014. At one point President Obama also threatened to veto the 2013 version of the Cyber Intelligence Sharing and Protection Act if wasn’t amended to ensure privacy and civil liberty protections.

Now that the legal pedigree is behind us, that’s thirteen years of the same three part harmony:
Share information.”
Cyberspace is critical.”
Privacy is essential.”

And let’s be clear who the intended audience is – private sector. Because as of 2009 the vast majority of public sector organizations began some migration to some subset of the same government security standards. So after thirteen years, how are we still in roughly the same position? I believe it’s because, on their face, those three previous statements don’t provide enough incentive to bring the right stakeholders to consensus yet. I believe we’re close. I’ve offered what I think it will take to get us there absent some positive change. But I also believe public sector (and not necessarily just the Feds) has at least one more compelling incentive it can offer. I think evidence of that can be heard echoed here in the reactions of Trustwave’s Phil Smith, RSA’s Mike Brown and Denim Group’s John Dickson.

To be continued…


[i]  Information sharing is one means of attempting to scale efforts to combat an “open source adversary.” Open source adversaries, like cyber criminals and advanced persistent threats, can cheaply and easily replicate attack methods and vectors using scale to incredible advantage. J. Michael Daniel, cyber-security coordinator at the White House, gave this explanation of the counter tactic benefits: “We have seen industries that have increased their information sharing—such as in the financial services industry—and that does make a meaningful difference in being able to cut out a lot of the low-level attacks and intrusions. When you do that, then you can focus your humans on the more sophisticated intruders. I see this as a sort of baseline for us just to stay in the game.”  For a brief treatment on open source cyberwar see John Robb’s blog or the excellent example in his book Brave New War.