Two weeks ago Target Chairman, President and CEO Gregg Steinhafel lost his job in large part due to the Target data breaches from November 2013 to January 2014. While it seems that he was the first CEO of a major company that lost his job as a result of a data breach, he clearly will not be the last. At a glance, he took all of the “required” steps – the company started to immediately investigate the problem, notified law enforcement, notified customers, offered discounts to customers who used Target’s branded debit and credit cards, and provided free customer credit monitoring. However, the company’s sales, profit and stock price all have suffered as the breach scared off both investors and customers.
Various causes have been cited for the breach – from hackers stealing the electronic access credentials from an HVAC vendor, to a series of attacks against Target’s POS systems over an extended period of time, to the systematic failure to update antivirus software.
However, the common thread here is that a more effective written information security program, or WISP, might well have prevented or limited the intrusions. The problem is not new and most certainly is not limited to the United States. As the cyber spying and hacking grows, more large-scale computer intrusions will take place.
What is important to note is that while it may take years for local State and Federal regulations on this subject to emerge, it is likely that corporate managers, officers and directors are going to be held to an increasingly high standard of data security and due diligence. As of today, it is likely not enough to have a WISP; companies transacting over the Internet need to procure cyber-liability insurance policies that can mitigate losses in cases of breach. They also have to update or create detailed privacy and security programs that employees and contractors of such companies actually follow.
As internet commerce continues to grow, companies must get serious about protecting proprietary information, as well as the personal information of customers and employees. Failure to do so is likely to result in more customer and shareholder suits, and deterioration of the value of such company’s brands and assets.