Breach epidemic's lurid chapter: who pays?

The Target breach case has the potential to define who has to write the checks to pay for the cleanup following a major breach.
Written by John Fontana, Contributor

Big money is on the table and we all know that's what makes the world go round.

A Minnesota judge's ruling, which sided with a bevy of banks claiming Target Corporation owes them for the damage caused by last year's massive data breach, will set the tone to answer a linchpin question: who pays for the cleanup and how much?

The answer will establish precedent and likely trigger major changes in enterprises across vertical industries.

How the Target case plays out will have lasting impact on how all businesses define and document digital security, how they are contractually connected to partners, and how they deflect or mitigate liability.

U.S. district court judge Paul Magnuson, who is overseeing the Target case, announced his decision Dec. 2 and said the retailer "played a key role in allowing the [breach] to occur." Target had asked for the court to dismiss the class action lawsuit, brought by financial institutions, citing the lack of a contractual business relationship.

Brands are already facing class-action lawsuits from customers over breaches, including Jimmy Johns and Coca-Cola. These types of cases historically have not ended in the customer's favor, but a slugfest between giants in retail and financial services may well build a legal framework that defines digital commerce.

This could be the point where breaches are not defined by the tens or hundreds of millions of records stolen but the tens or hundreds of millions of dollars in fines and penalties.

"The Target case could lead other banks to take legal action in the wake of retailer breaches," Ted Schaer of Philadelphia-based law firm Zarwin Baum DeVito Kaplan Schaer Toddy, P.C. told the web site Data Breach Today. " What you're seeing here is they're not going to stand for it and they're going to require accountability from the C-suite [at breached merchants] to assure that proper security in network and point-of-sale terminals is established - and if not, they're going to seek redress."

There is still much water to flow under that bridge, but it's logical to believe retailers should be on high alert given the almost indefensible onslaught from hackers.

A recent study, however, reveals a lingering norm of apathy and ignorance toward data security and privacy.

A study by security firm BitSight Technologies showed that of 300 large retailers that were analyzed 58 percent are less secure than they were a year ago. It showed more hackers were stealing more data and doing it with greater speed and transparency.

The study showed, however, that those who have been hit with breaches have gone on to improve security.

Recently the National Retail Federation invited nearly 100 of its members to get together and share data about potential threats in an effort to raise awareness and network security. It's a start; the NRF has more than 15,000 members.

The question has become when will the enterprise norm be pro-active instead of reactive? As the case in the Target breach plays through to its conclusion will its outcome carry enough impact for vertical industries and associations to redefine cybersecurity standards along with rules and regulations to protect enterprises - and ultimately consumers?

In a game of dodge ball, you can only hide in the corner for so long. Will companies stand pat and get plunked or go on the offensive?

Martin Ferenczi, president of North American operations for Oberthur Technologies, told the San Jose Mercury News, "Compared to two years ago, I would say that not much has changed except the urgency by the criminals."

Editorial standards