Target ruling raises stakes for cybersecurity vigilance
A Minnesota judge ruled that a lawsuit against Target over last year's breach could proceed because the retailer 'played a key role in allowing the harm to occur.'
Robert F. Bukaty/AP
A Minnesota court may set a chilling new precedent for retailers with its ruling that Target could be sued for failing to adequately defend against last year's massive data breach.
By rejecting Target's motion last week to dismiss the lawsuit brought by several banks, and allowing the case to proceed, the court held that the retailer’s failure to heed warnings from a security alerting system, and its disabling of certain security features, could be viewed as negligent actions.
Consumers and banks have routinely brought negligence claims against businesses such as Target that have suffered a data breach. However, this is the first time in a data breach case of this magnitude that a court has said a company can be sued for failing to respond to warnings from security software. That decision could set in motion new legal standards for bringing negligence claims against organizations that suffer data breaches.
The banks have plausibly argued that Target’s actions and inactions caused foreseeable harm, US District Court Judge Paul Magnuson wrote in his 16-page ruling.
“Imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit and debit card information,” wrote Judge Magnuson. "Although the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur."
The ruling on the motion to dismiss only means the case can proceed to the next phase, where Target will have another opportunity to argue its story. A Target spokeswoman said the company would not comment on pending litigation.
Target has previously admitted that it might have spotted the breach earlier had security administrators paid closer attention to numerous alerts generated by one of its recently installed network security monitoring tools. The company has noted that it investigated the alerts in a preliminary fashion and then decided they did not merit further attention.
“This ruling opens a can of worms,” she says.
The security systems put in place at many major companies routinely generate millions of log events every single day. But just because a system generates an alert does not automatically merit a high-priority response. The effectiveness of these systems depends to a large extent on the kind of filters that a company puts in place for detecting unusual activity on its networks. Just like an automobile alarm can sometimes go off without any real reason, network security alerting systems can generate false alarms, too.
The banks that brought the lawsuit against Target are not immune from such problems, says Ms. Litan. “Take, for example, the case of the JP Morgan Chase Breach. I am sure the alerts on that breach went off in some of their logs as well."
The notion that negligence might exist just because a security-alerting service was not being aggressively used or monitored highlights a lack of understanding of how companies deploy new security technologies, says Christopher Pierson, general counsel and chief security officer at Viewpost, a supplier of an online invoicing and payment platform.
For one thing, companies do not rely on just one device or one tactic to protect against attacks. All mature security programs use multiple layers of defensive alerts to combat hacking, says Mr. Pierson. Many companies also tend to take a cautious and staged approach to deploying new security tools on their network. The typical cycle is to first deploy a new tool in learning or passive mode so it can gather information on what constitutes normal network behavior for a company. Even after that, companies often limit any kind of automated blocking or response features that are built into a security product to minimize problems, says Pierson.
So the apparent fact that Target did not use its alerting tool more aggressively, or that the tool was turned off, is not unique. Also, while monitoring network events and logs can enable better security, requiring companies to monitor all their logs all the time could cripple their ability to operate. “It flies in the face of a risk based and holistic approach to cybersecurity,” says Pierson.
Lawsuits by consumers and banks have become almost de rigueur after nearly every data breach these days. Retailers and other entities covered by the Payment Card Industry Data Security Standard also have to contend with stiff fines and penalties from credit card associations such as MasterCard and Visa if they suffer a breach that exposes cardholder data. Companies can end up spending tens and even hundreds of millions of dollars in settlement costs, damages, fines and legal fees associated with such cases.
Target has said it expects breach related costs to be around $148 million. The breach resulted when intruders gained access to Target’s network using login credentials stolen from a company that provided heating, ventilation, and air conditioning services for Target. The thieves then used that initial access to burrow their way into Target payment network from where they stole data on some 40 million credit and debit cards. In addition, the thieves also stole records containing names, addresses, and e-mail addresses on about 70 million customers.
Payment processor Heartland Payment Systems is believed to have spent some $140 million in settlements and legal costs over a 2008 network intrusion that exposed data on over 100 million payment cards. TJX Companies, the owner of brands like Marshall’s and HomeGoods spent a staggering $250 million in similar costs following a network intrusion in 2006.
If the Minnesota ruling influences other courts to allow similar lawsuits, it could ironically prompt companies to pull back from more robust security monitoring systems, say some experts.
“There is a huge security negative to this kind of ruling,” says John Pescatore, director of emerging security threats at the SANS Institute in Baltimore. “It reinforces the ‘better not to know, than to know and not do anything’ [mindset]. For way too long that was used as a reason not to do vulnerability scanning or penetration testing – a huge mistake.”