Almost two years after its infamous data breach, Target is still dealing with the ramifications. Most recently, on August 18, 2015, Target announced an agreement to reimburse thousands of financial institutions up to $67 million. Target settled with Visa Inc. on behalf of institutions that issued credit and debit cards. And Target said it is working with MasterCard Inc. on a similar settlement.
While Target’s data breach occurred in the past, there were five lessons learned that continue to have far-reaching impact:
1. CYBER PREPAREDNESS THROUGHOUT THE INSTITUTION IS CRITICAL
Following Target’s and other high-profile data breaches, the National Institute of Standards and Technology (“NIST”) Framework created a template reflecting industry standards and best practices for managing cybersecurity risks; encouraging companies to be proactive and to identify and address complex issues and situations before institution-threatening, and (sadly) near-inevitable, cyber events occur:
- Identify: Develop an organizational understanding required to manage cybersecurity risk to systems, assets, data, and capabilities
- Protect: Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services
- Detect: Develop and implement the appropriate activities to identify and avoid cyber events
- Transfer: Develop and implement an appropriate insurance program that deals with cyber and privacy events
- Respond: Develop and implement the appropriate activities to respond to a breach or other cyber event
- Recover: Develop and implement appropriate plans to maintain resilience and restore any capabilities or services that were impaired by a cybersecurity event
Taking a deliberate approach to identifying, assessing, and addressing relevant cyber risks – using experienced legal counsel to work with IT experts – can go a long way to avoiding the fallout created by Target-like data breaches.
2. CONTINUAL ASSESSMENT AND MODIFICATION OF EXISTING CONTROLS IS IMPORTANT
All companies need to review and revise information security policies to protect critical cyber assets and guard against actual and potential threats. Institutions need to adjust and/or design appropriate security controls and plans to, among other things:
- Monitor and control access
- Properly encrypt and otherwise protect personally identifiable information (for customers and employees)
- Ensure that duties are properly separated amongst appropriate personal and, when appropriate, dual controls are in place
- Ensure that networks are properly segmented to contain breaches to specific areas.
- Safely dispose of critical information
With respect to all of the aforementioned and other controls and plans, consistent staff training and evaluation is critical; a perfect plan is useless if it is simply in a drawer.
3. THIRD-PARTY VENDOR MANAGEMENT
An essential part of assessing existing controls and plans is reviewing vendor relationships and how vendors can affect an institution's risk profile: the Target data breach was facilitated through an HVAC vendor.
This process must be conducted by management and at the board of director level. Institutions should specifically analyze the nature of the vendor services and their potential to personal and confidential information. It is important to define, agree upon, and document expectations at the start of the engagement, and to review such expectations at least annually and after a change in services. After entering into a contract with a third-party, management should dedicate sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the relationship.
4. INCIDENT RESPONSE PLANS ARE CRITICAL
A critical aspect of any cyber preparedness plan is the development and implementation of an incident response protocol. The response protocol should address unauthorized access to or use of critical information that could result in substantial harm or inconvenience to others. Among other things, the components of an effective program include:
- Assessment of the nature and scope of the incident and identification of what customer information has been accessed or misused
- If required, prompt notification to state and federal regulators once the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information
- Measures to contain and control the incident to prevent further unauthorized access to or misuse of customer information, while preserving records and other evidence
- Efficient notification to customers – with consistent messaging – when warranted
Considering the importance of the controls, plans, and protocols, institutions should routinely test their Incident Response Plan effectiveness and conduct tabletop exercises to evaluate existing response programs and make modifications as warranted. Institutions must understand that regulator examinations should not be considered system tests.
5. BOARD SUPERVISION – INCREASED INVOLVEMENT WILL DECREASE POTENTIAL LIABILITY
Boards must work closely with management to assemble the proper teams and prepare plans to prevent and respond to any cyber breaches. To properly prepare, institution management and directors should understand the NIST Cybersecurity Framework to ensure compliance. To that end, management and boards should be able to answer the following important questions:
- What is the board's familiarity with cybersecurity?
- Have the company's critical cyber assets been identified and are they properly protected?
- Can the board articulate its cyber risks and explain its approach and response to such risk?
- Has the board assigned clear roles and responsibilities for identifying, evaluating, monitoring, and responding to cybersecurity incidents?
- What are the company's crisis communications plans in the event of a cyber attack?
- Is the company properly managing third-party vendors who have access to their IT environment?
- Does the company's insurance cover a cyber event?
As recent cases have demonstrated, board preparedness and planning can be critical to insulating directors from liability or at least minimizing damage. Following the Target data breach, multiple officers and directors were removed or resigned, and the reputational fall-out was substantial.
As the Target suits and settlements demonstrate, data breaches often trigger increased regulatory scrutiny, enforcement actions, and litigation. Cyber-preparedness is critical to avoiding the significant costs associated with the ongoing cyber war: loss of critical cyber assets, reputational damage, potential for increased propensity for attack, fees paid to professionals to prepare and fight battles, and penalties from regulators; all can be devastating to an organization.