A Wall Street Journal article from this week disclosed that some of Target’s top executives counseled against disclosing that an additional 70 million individuals were affected by the breach (after Target disclosed the initial 40 million figure). After all, the combined number of 110 million would represent over 1/3 of all Americans. It remains unclear (or at least unreported) whether or not the additional 70 million had their financial information compromised. As a result, the “top executives” advised Target that it wasn't legally required to disclose any data breaches other than stolen card numbers. WRONG! Check the state breach notification statutes Target. Personally Identifiable Information (PII) is defined very differently in each of the 46 states that have a breach notification law. As little as an e-mail address may trigger a notification obligation in some cases.
Target’s CEO told the WSJ that “Target won’t be defined by the breach, but how we handle the breach." Unfortunately for Target, its customers and shareholders, as well as state and federal regulators, are going to look at both the breach and how (and when) Target notified its customers. Based on all of Target’s missteps and inconsistent messages once the breach was leaked, I sure wouldn’t hang my hat on Target’s “handling” of the breach.
The full WSJ article can be found here.