They say the reality is based on everyone’s unique perspective. This belief is certainly solidified with a major retailer who sustained a breach in 2013. As the majority of our industry closely scrutinizes this event and subsequent legal actions, we must remember what a game changer is for some may mean absolutely nothing for others.
My brother is in the financial services industry and he is aware of a paper I drafted “Targeting the C-Class” about ten years ago, that essentially gave a preprint on how you can effectively go after an organization with a claim of negligence by not having adequate security controls in place.
He asked me what I thought about the Target case and I responded, “Depending on how this shakes out, anywhere between $100 Million and $1 Billion. It really could be a game changer.” My brother merely responded, “A billion, pumf – is that all? Hell, we just paid that as a fine to the Government”.
Before we go any further, for the record -I am not a licensed attorney. The information contained in this article is strictly the opinions of a cyber risk professional.
The difference between what I outlined back a decade ago versus today is two key concepts. First, how a court defines “harm”. Second, how a court defines “standing”. Industry estimates and official reports provided by Target place tens of millions of credit card/debit cards at risk. The information that first flowed to the public’s eye leaned towards a potential breach emanating from the point of interconnectivity between an industrial control system used for the refrigerators and Target ‘s core enterprise network (CEN).
Recently the filing of a civil suit for damages against a third party Payment Card Industry (PCI) Quality Security Assessor (QSA) Trustwave was announced after multiple law suits were filed on behalf of the bank card holders and in limited circumstances, the banks themselves. As of April 1st, these two banks headed for the hills and withdrew their suit.
For the class action lawsuits where individuals are defined as an enjoined plaintiff, there is a high probability these cases will never see a courtroom. The reason for this opinion is a direct result of what other courts are holding “Show me the harm”. For those experienced professionals in this industry, we know and understand that people or organizations skilled enough to obtain tens of millions of credit cards are not going to systematically result in identity theft.
It is not like your Equifax report is going to show a 720 going to a 500 in a month or two. Adversaries will harvest this data and in numerous instances, will not touch it for weeks, months or maybe years. At this point, the ability to attribute harm to your person as a direct result of the initial breach is virtually impossible to prove. As a result, you cannot show harm. An inconvenience is not the same as actual harm. This has been the rub for many large cases in recent history.
The only entity that can legitimately claim harm is the bank because of the cost to reprint cards, cancel the existing ones, and in limited cases – reimburse cardholder accounts if they were in fact actually used for fraudulent purchases. Banks have historically stayed away from pursuit because it is a numbers game. They estimate losses and use the calculations to establish annual fees, annual percentage rates, etc. However, in one of the suits, two regional banks in Texas have stepped in – don’t mess with Texas!
Of all the banks involved, a court must then assess how much of these costs did these two banks incur to close out accounts and reprint new cards. This total value will be defined as compensatory damages. As with most previous cases, these CLAs will either be dismissed or likely settle with Target and as part of the terms for settlement, sign a non-disclosure agreement thus reducing Target ’s exposure to future similar transactions in court. What does this do for the traditional consumer, nothing.
In the face of these suits, Target decides to evaluate past security assessments they have undergone because it is likely that a plaintiff would subpoena them (as described in my previous article). When the banks and others decided to take a shot at going after a third party – Trustwave, I found it interesting. I am reminded of an older case of “Heartland”.
Just as a brief overview, Heartland sustained a massive data breach defined as the largest in history at that point in time. Heartland had also undergone a PCI security assessment. What we must address is the fact that a PCI assessment only covers computing elements that maintain, transmit or receive credit card data. There have since been control enhancements evolving from past breaches that include an assessment of enclave or boundary protections. (Much like one will presume transpired with Target ’s CEN and points of interconnectivity with other network connections.
When we assess the industry staples like the Verizon or McAfee or Symantec Annual Reports, the plain and simple fact is that many organizations do not know or even have a foundational inventory of every asset with an IP address. This is basic Cyber-101 right? Wrong!
With advancements in Cloud, mobile, bring your own device, etc. – this is far more challenging than you may think. “Carter, can’t you run an NMAP?” Great question – Sure you can but how often and how do you know every element that has changed an IP address if you are hosted on Amazon or even a private cloud. Let us say cloud did not even apply in this scenario, I am not familiar with one commercial or government enterprise that has been successful in accomplishing this. (I am not insinuating certain three letter agencies cannot but then again, if I cannot assess it, I cannot confirm or deny).
Trustwave has been conducting these assessments for years. The PCI Data Security Standard (DSS) is a well-established standard for conducting an audit to measure a level of compliance. Ah, our favorite word “compliance”. Does compliance equate to secured? Rhetorical question. Providing Trustwave’s assessment was directly in alignment with what the PCI-DSS stipulates, they met their service level agreement (SLA). Does this change the fact they will spend potentially millions of dollars defending their position? Nope.
Does this mean that Target is now opening themselves up to communications and artifacts that normally would be deemed proprietary under a non-disclosure agreement or SLA you bet! This comes directly from Target ’s most recent 10-K:
As of February 1, 2014, we have recognized a $44 million insurance-recovery receivable relating to the Data Breach because we believe recovery is probable. However, it is possible that the insurance carriers could dispute our claims and that we may be unable to collect the recorded receivable.
Let us say for argument’s sake that in the course of Trustwave’s assessment, findings with recommendations were illustrated, in writing, to Target . Now let us say that no action was taken in response to these recommendations. TARGET hiring Trustwave is a means of performing due diligence. However, the standard of care” is how court cases are evaluated.
If findings were identified (most likely) and recommendations were defined (most likely) and either Target did not take action because they evaluated the risk and felt it was not warranted (example, spending $1M to protect against a maximum loss of $500K), they have mitigated some of their risk exposure. Information made public tends to support that Target may have been advised of issues and took no further action. In that scenario, they did not apply “due care”, which is the second element of the standard of care.
If a court assesses a commercially reasonable option was available that would have mitigated this breach, then there is a high probability that a court will not throw out the case. But wait! Who would have standing? Don’t you need standing for a case to even go forward? As we look at additional details provided in the 10-K:
For Data Breach-related exposures, we are unable to reasonably estimate a range of probable loss in excess of the recorded payment card network contingent losses. We believe that losses from the payment card networks in excess of the amounts recorded in fiscal 2013 are reasonably possible, and that these losses could be material to our results of operations in future periods, but we are unable to estimate a range of such reasonably possible.
While an independent third-party assessor found the portion of our network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, we expect the forensic investigator working on behalf of the payment card networks nonetheless to claim that we were not in compliance with those standards at the time of the Data Breach.
We base that expectation on our understanding that, in cases like ours where prior to a data breach the entity suffering the breach had been found by an independent third-party assessor to be fully compliant with those standards, the network-approved forensic investigator nonetheless regularly claims that the breached entity was not in fact compliant with those standards.
I draw your attention to an older case involving TJ Maxx. This was a similar scenario but what unfolded was unexpected. The actual sales blew out corporate expectations and significantly softened the blow of the legal defense costs. This ultimately fared well with investors and the stock price actually went up. When we evaluate the social norms of today versus a few years ago, things have obviously changed.
In the weeks following the announcements about the breach, shares fell from $10 a share. As we can see, there is a slight resurge but the ultimate impact to the share price during this period as well as potentially the value in late 2014-early 2015.
I actually applaud Target for following SEC guidance and defining the breach in their 10-K. This has been a major source of contention in the industry and this may preclude the SEC from seeking an injunction or supporting any sanctions by state attorney generals. What it will not prevent are the following elements from which a legitimate CLA may be forthcoming:
- How many shares of TGT were acquired before November 2013 (including options).
- How many shares were sold at a loss or where options expired in January-February 2014?
- Were findings provided to TGT and if so, how much time transpired between notification and the breach?
- Were the risks associated with the findings commensurate with the cost to remediate and consistent with what a court will determine to be “commercially reasonable”?
- What risk assessment did TARGET perform enabling the interconnectivity of the ICS system to their CEN?
- What language exists within any SLA between TARGET and the ICS vendor? Would a reasonable and prudent person understand in 2013 that these systems interconnect with a CEN and inherently may introduce a risk?
TGT consistently trades at 3.5 million shares a day back in November and preceding the fall. If a case were mounted against TGT by shareholders that took the loss between January and February due to diminished share value directly resulting from legal defense and incident response efforts and it can be shown that by taking no action in response to a recommendation given stemming from a core finding,..that equates to approximately $35 million in compensatory and then take into consideration punitive plus other legal fees.
Regardless of the fact that a $1 Billion fine is chump change in the financial sector, I do believe after all is said and done, the totality of the losses that will be incurred by TGT will clearly diminish expected future revenues and directly impact the shareholder price more than what we saw earlier this year. With a recent disposition by the U.S. District Court of New Jersey, the Government can sanction hacked companies (see Wyndham security breach) thus further increasing an organization’s exposure to risk.
Please note this article is not designed to be a fear, uncertainty or doubt (FUD) piece. This is a real scenario where great financial harm will be inflicted on major U.S. business and understanding what all companies should know about cyber risk management and legal ramifications will be essential to adequately or “commercially reasonable” address cyber risk as it aligns with the standard of care.
About the Author: Carter Schoenberg has more than 19 years of combined law enforcement, cyber intelligence and cyber security experience. Starting his professional career in law enforcement as a homicide detective, Carter moved into the private sector working with the ISS X-Force working on daily threat and reconnaissance reports for the ISAC community and DHS. After leaving ISS, Carter worked with the Motorola Security Services Division spearheading a new method of assessing risk by evaluating the actual costs of security events. In 2010, Carter acted as the lead Information Systems Security officer for the US Immigration and Customs Enforcement (ICE) Cyber Crimes Center before taking on his current role as the Technical Director for CALIBRE Systems’ Cyber Security Services in addition to teaching cybercrime, terrorism and white collar crime at the undergraduate level. He has authored several white papers on cyber risk and litigation as well as an accomplished speaker at events like SecureWorld Expo, ISSA, InfoSEC World and in September, will be speaking at the ISC2 Security Congress.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Board Dynamics: Do BoDs Understand the Impact of Cyber Attacks?
- Communicating Risk More Effectively
- Using the Top 20 Critical Security Controls to Get your CFO’s Attention
- The Role of Security in Creating a Standard of Due Care
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock