Several billions of dollars. That is the amount most analysts believe Target (NYSE: TGT) could be on the hook for after an online security breach exposed the credit and debit card information of 40 million consumers who shopped at the giant retailer between November 27th and December 15th. This includes federal and state regulatory penalties, lawsuits and lost revenues from disgruntled and concerned shoppers.
How this happened will of course be the subject of intense scrutiny over the coming weeks and months – and the hope is that those who perpetrated this breach will be brought to justice. Yet as troubling as this breach has been for all those affected, this event does present an opportunity for corporations across the globe to tighten their own security measures (both on and off-line) in order to protect the information they store and maintain on behalf of their customers, vendors and employees. If it can happen to one of America’s largest retailers in the aftermath of the massive TJX security breach in 2007, it can happen to almost any corporation.
Any corporation which stores and maintains personal identifying information has a potential liability exposure. The boards of directors of these corporations (public, private and non-profit) are realizing in greater numbers that they cannot simply close their eyes and hope that management is “on top of it”. Many boards are recruiting corporate directors with deep expertise in information technology, with a particular emphasis in online security. Although such a director appointment may not be necessary for every board, the Target breach does present an opportunity for boards to step-forward and demand an update from management regarding the security infrastructure and processes at that their corporations(s). Beyond just receiving a report, boards should ask probing questions of management, such as: when was the last time the security infrastructure and processes were updated?, how often is our security tested?, what, if anything, do you plan to do to our system in response to the Target breach?, when was the last time we had an independent security audit?
What we continue to learn in this technologically advanced society is that almost nothing is 100% secured. Nevertheless, there are measures which can be taken to enhance the security for personal information – and boards owe it to their stakeholders to ensure that such measures, as appropriate, are implemented.
Share this story