A Minnesota District Court ruling this week related to the 2013 Target data breach has opened the door for banks to pursue damages from retailers victimized by a data breach.
Judge Paul A. Magnuson ruled that Target was negligent in ignoring and, in some cases, turning off security features that the court said would have stopped the 2013 holiday shopping season breach. In a 16-page explanation, Magnuson concluded that financial institutions pursuing compensation from Target in court can continue with class-action lawsuits.
“This opens the door to a legal precedent that if you get breached, you’re now automatically responsible for all the bank costs they can think of,” said Gartner vice president and distinguished analyst Avivah Litan. “Now what governs rules of liability are Visa and Master Card rules, and those are not law, they’re rules of the card brands. Now, those rules are becoming law.”
The bone of contention in the Minnesota ruling is that Target ignored alerts set off by a FireEye malware detection system installed months prior to the breach. Target’s contention is that the system fired off thousands of alarms, and that it was impossible to distinguish between less important alerts, false positives and the more serious indications that an intrusion had occurred.
The Target hackers were able to access the giant retailer’s network by using the compromised credentials of a HVAC vendor contracted by Target. The hackers were able to use those credentials to burrow deep into the retailer’s network, install point-of-sale malware on terminals in many of its locations in the U.S., and then siphon off 40 million payment card numbers and security codes, and the personal information of 70 million customers. The data was stored on servers inside the Target network until it was exfiltrated by the hackers, investigators have revealed.
“Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” Magnuson wrote in his ruling. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”
Litan questioned the ruling from the sense that Target’s difficulties in properly analyzing alerts from its detection systems are not unique.
“It’s not fair at all. I’m sure the alarms went off at Chase as well,” Litan said, referring to a massive breach at JP Morgan Chase this summer. “These systems put out hundreds of thousands of alerts a day and it’s difficult to know which are important. It’s wrong to pull out the FireEye alerts and say Target didn’t listen to them. This demonstrates the difficulty in keeping up with security monitoring. Target is not alone; they’re not the only institution that can’t keep up with 100,000 alerts an hour. Look what happened with JP Morgan Chase, and they’ve got a $250 million budget allocated to cyber.”
Data breaches have been a fairly regular occurrence for close to a decade. The response of banks in the early hey-day of ChoicePoint, CardSystems, Heartland and other massive breaches was to roll out the Payment Card Industry Data Security Standard (PCI-DSS) and shift responsibility for securing payment systems onto the retailers. Next October, chip-and-PIN rollouts are expected to accelerate in the U.S. as a shift in liability happens where the party with the lesser standard of care becomes responsible in the event of a breach. For example, if mag stripe data is stolen from a retailer that supports chip-and-PIN cards, for example, the card-issuing bank assumes liability.
Retailers, meanwhile, have argued that they too have borne tremendous costs because of breaches. In a letter from a number of prominent retail associations, including the National Retail Federation and the Retail Industry Leaders Association, to the Credit Union National Association and National Association of Federal Credit Unions, retailers argue that costs are borne equally with financial institutions and that retailers do contribute to the costs of issuing new cards to consumers post-breach.
Retailers also pointed out in the letter dated Oct. 30 that merchants collectively spend $6 billion annually on data security and are proactively leading the charge for chip-and-PIN deployments. They back up their case, demonstrating that outside the U.S., 70 percent of merchants support chip-and-PIN point-of-sale terminals (40 percent of consumers carry upgraded chip cards), whereas in the U.S., 20 percent of merchants have upgraded terminals, but fewer than one percent of cards have chips rather than mag stripes.
“The most unfair part of this is that the banks saw this coming in 2006 and their response was PCI and to put security problems on the retailers,” Litan said. “And only now are they moving to chip-and-PIN. Target would not have happened. Home Depot would not have happened if they’d acted quickly then. You cannot rely on millions of retailers to secure insecure payment systems.”