Our blog

December 29, 2013

Several billions of dollars.  That is the amount most analysts believe Target (NYSE: TGT) could be on the hook for after an online security breach exposed the credit and debit card information of 40 million consumers who shopped at the giant retailer between November 27th and December 15th.  This includes federal and state regulatory penalties, lawsuits and lost revenues from disgruntled and concerned shoppers.

How this happened will of course be the subject of intense scrutiny over the coming weeks and months – and the hope is that those who perpetrated this breach will be brought to justice.  Yet as troubling as this breach has been for all those affected, this event does present an opportunity for corporations across the globe to tighten their own security measures (both on and off-line) in order to protect the information they store and maintain on behalf of their customers, vendors and employees.  If it can happen to one of America’s largest retailers in the aftermath of the massive TJX security breach in 2007, it can happen to almost any corporation.

Any corporation which stores and maintains personal identifying information has a potential liability exposure.  The boards of directors of these corporations (public, private and non-profit) are realizing in greater numbers that they cannot simply close their eyes and hope that management is “on top of it”.  Many boards are recruiting corporate directors with deep expertise in information technology, with a particular emphasis in online security.  Although such a director appointment may not be necessary for every board, the Target breach does present an opportunity for boards to step-forward and demand an update from management regarding the security infrastructure and processes at that their corporations(s).  Beyond just receiving a report, boards should ask probing questions of management, such as:  when was the last time the security infrastructure and processes were updated?, how often is our security tested?, what, if anything, do you plan to do to our system in response to the Target breach?, when was the last time we had an independent security audit?

What we continue to learn in this technologically advanced society is that almost nothing is 100% secured.  Nevertheless, there are measures which can be taken to enhance the security for personal information – and boards owe it to their stakeholders to ensure that such measures, as appropriate, are implemented.

Share this story
  • Andy Kaplan

    January 5, 2014 at 3:46 pm Reply

    At DonorsChoose.org, we process about $30mm in online contributions per year. We’re using “tokenization” of credit card numbers as a defense against the bad guys. However, tokenization is only as good as the security surrounding our third party payment processor. After the Target incident, I asked our payment processor to let me know in detail if they are enhancing the security of their own systems. If yes, what are they doing. If no, to please fill me in on why they believe their security does not need to be enhanced.

Leave a reply

Back to top