The following is excerpted from “Avoiding the Bullseye: CyberSecurity Lessons from the Target Litigation” a recent paper written by David M. Furr, JD and originally published on the American Bar Association website.
Traditional retail in the United States has had two distinct issues negatively affecting its survival in this decade. First, the proliferation of E-commerce companies has severely reduced the profitability of the traditional brick and mortar businesses as shoppers’ habits are fundamentally changing. In the first four months of this year, nine retailers have filed for bankruptcy — Payless Shoes, hhgregg, The Limited, RadioShack, BCBG, Wet Seal, Gormans, Eastern Outfitters, and Gander Mountain — with the closing of hundreds of stores.1 Many other retailers are shuttering stores at such a record pace that 2017 is being bannered as the year of retail bankruptcies.2
Second, retail has been particularly hard hit by cybersecurity breaches because of the wealth of Personal Identity Information (PII) collected and, unfortunately retained, by the retailers. The 2013 massive compromise of retail giant Target’s systems has been litigated in the courts and subject to an extensive Multi-State Attorney-General Task Force action that has produced record payouts to plaintiffs.
The purpose of this paper is to use the Target litigation as a backdrop of the cybersecurity measures a business must have in place if it is to protect adequately the PII of its lifeblood — the customers. While common tort and specific statutory theories serve as the foundation for these claims, the sophistication of the Plaintiff counsels’ deep dive into the actual technology facts serve as an important road map to safe cybersecurity.
The Target Breach, By The Numbers
- 40 million – the number of credit and debit cards stolen between November 27 and December 15, 2013
- 70 million – the number of records stolen that included the name, address and email address of Target shoppers
- 46 – the percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before
- 200 million – estimated dollar costs to the credit unions and community banks for reissuing 21.8 million cards — about half the total stolen
- 0 — the number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target
- $18 – $35.70 – the median price range per card stolen from Target and resold on the international black market, reaping an estimated $53.7 million in income
- 1 – the resignation of the CEO3
- $252 million – costs associated with data breach through 20144
Read the full version of “Avoiding the Bullseye: CyberSecurity Lessons from the Target Litigation” here.
1 Hayley Peterson, ‘The dominoes are starting to fall’: Retailers are going bankrupt at a staggering rate, Business Insider, (Apr. 11, 2017), http://www.businessinsider.com/retailers-are-going-bankrupt-at-a-staggering-rate-2017-4.
3Brian Krebs, Email Attack on Vendor Set Up Breach at Target, Krebs on Security Blog, (Feb. 12, 2014). http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
4Kevin McGinty, Target Data Breach Price Tag: $252 Million and Counting, Mintz Levin Blog, (Feb. 26, 2015). https://www.privacyandsecuritymatters.com/2015/02/target-data-breach-price-tag-252-million-and-counting/.