Target Corp. has reached a $10 million settlement with U.S. customers whose personal data may have been breached.
A Minnesota judge has endorsed a settlement in which Target Corp. will pay the millions to settle a class-action lawsuit over a massive data breach in 2013.
The $10-million Target Corp. data breach settlement announced Thursday should send a message to other retailers, say experts in the field.
“Companies have to lean forward on cybersecurity, manage the risk from the top and create a culture for cybersecurity across the enterprise — not just in the IT (information technology) department,” said Chris Furlow, president of Ridge Global.
Furlow is also a manager of operations for Ridge-Schmidt Cyber, the consultancy founded by former U.S. Homeland Security secretary Tom Ridge and former White House cyber-czar Howard Schmidt.
“This not the kind of risk management they teach in most business schools, so many executives are uncomfortable with cybersecurity as an issue and they hope someone else in the organization will manage it for them,” said Furlow. “Failing to address these issues until an incident occurs can be disastrous for a business.”
In the lead-up to Christmas 2013, information on 100 million Target customers was compromised after hackers gained access to company computers and scooped data straight out of point-of-sale terminals.
The breach spooked U.S. customers, who began staying away from Target in droves, adding to the expensive problem the retailer was already facing in Canada.
Target Canada Corp. declared insolvency Jan. 15, after less than two years in business. The first stores closed on Wednesday. Another dozen will close March 22. In all, 17,600 people will be left jobless.
The $10-million Target fund for victims of the data breach is available to anyone in the U.S. whose data was compromised, to a maximum of $10,000 per claim. The process is not open to Canadians.
The proposed settlement also requires the Minneapolis-based retailer to appoint a chief information security officer (CISO), maintain a written information security program and give workers security training.
Target Corp. spokesperson Molly Snyder said Target hired a CISO last year.
Canadian consumers whose data was compromised by the breach were offered one year of credit monitoring, Snyder said.
Retailers may feel like there is safety in numbers — that the probability of any one retailer falling victim is low — but it’s a false sense of security, said Carlisle Adams, a professor in the School of Electrical Engineering and Computer Science at the University of Ottawa.
“Typically hackers send out automated software, looking for any vulnerable machine. They don’t really care who it is. They’re looking for any hole they can climb through and once they’re there, they’re looking for interesting or juicy data. Malware is kind of blind in that sense.
“There are lots of tools and practices and procedures you can put in place. They are well-known. It’s just that for a lot of companies … often they don’t have the time or the people in place to put those measures into effect and monitor them regularly,” said Adams.
“It’s small comfort to the people whose data has been breached, but it does cause other companies to take notice and take some action so they don’t get into the news for the same reason.”
Philip Lieberman, chief executive officer of Lieberman Software, said the Target example provides strong motivation for corporate boards to embrace organizational change when it comes to IT security, choosing effective tools instead of “cheap or default choices.”
“There is an element of theatre to these settlements. You’re trying to convince customers that you are safer than the other guy,” said David Skillicorn, a professor in the School of Computing at Queen’s University.
“One thing these high-profile incidents do is, they remind everyone that they can happen and if they do happen it can be expensive. It’s a good reminder to businesses that are being pushed in the other direction of less security and more convenience.”
Source Credits: Francine Kopun – business reporter in The Star