“Ongoing investigation.” “Forensics and law enforcement continue to investigate.” For now, it is a bit too early to write the “Lessons Learned” piece about the Target/Neiman Marcus/Michaels data breach incident. But there are a few things that were known before these latest payment card/database breaches occurred and should be put into context in light of what we are currently investigating.
From the legal perspective, data breach notification laws are just that: after-the-fact notification. There are few standards to which businesses should generally be held in most of the state data breach notification statutes that outline proactive requirements. Massachusetts has been the notable exception since 2010. An excellent review of the Federal Trade Commission’s consent orders in the data privacy and security arena by scholars from Carnegie Mellon provide a road map to what has been considered unreasonable and where businesses should be looking to address known vulnerabilities — but this analysis was written in 2008 and the same vulnerabilities seem to keep tripping up businesses.
There is a consistent note underlying the latest (and some of the earlier) data breaches: “but we were PCI compliant.” Unfortunately, this refrain should likely be a takeaway here. Reliance on the Payment Card Industry Data Security Standards (PCI-DSS) is misplaced. It is a starting point, not the endgame. PCI standards do not require that cardholder data (whether it is EMV or mag-stripe) be encrypted “in transit.” The standards only specify that such data be encrypted at rest — that is, when it is stored. Most merchants have moved to tokenization and do not store cardholder data. If they do store that information, to be PCI compliant, it must be encrypted. But the hackers are grabbing the data in real-time, moving it to dump files and picking it up later. If you want to know the gory technical details of this type hack, check out Krebs on Security and read Brian Krebs’ analysis of each of the latest breaches. Although the information is still evolving, the tactics appear to be the same.
In order to get ahead — and stay ahead — of the hackers, industry participants need to push one another and not point at one another. Retailers and card associations must get into the same boat and row in the same direction. The debate over mag-stripe versus the so-called EMV card (or chip-and-PIN) is not the only issue; however, it is notable that the United States is one of the last countries to use magnetic strip technology on its payment cards. But there are no magic wands here; by the time EMV adoption arrives, the perps will have found an end run and retail will again need to pivot.
The FBI has warned retailers to expect more card breaches. “Expecting” breaches and “anticipating” breaches are different, and retail information security technology is not particularly good at detecting intrusion. All of the latest retail hack victims (and retailers are victims of criminal behavior) only learned of the incident when notified by law enforcement — and law enforcement in turn had been notified by the credit card issuers when common point of purchase problems popped up. The FBI report distributed to retailers entitled “Recent Cyber Intrusion Events Directed Toward Retail Firms” should be required reading, not only in the CISO and IT shops, but also in boardrooms. Failures to act in light of known (and warned of) vulnerabilities can leave retailers exposed in the courtroom.
Directors should be focusing on information security issues as a regular part of risk management. What is the “duty of care” when it comes to information security? In the retail sector, like banking and healthcare, a failure to exercise due oversight in the boardroom could lead to material adverse effect on earnings. Who is in charge of cybersecurity? What is the role of board oversight? Does the company have an incident response plan, or is it ad hoc? Has the board participated (or overseen) a risk assessment of inside and outside threats? What is the company’s position on public disclosure in securities filings?
Invest in prevention — technical, operational, and legal. It is the rare business that operates now without a business continuity or disaster recovery plan. Operating without a straightforward, well-executed and well-monitored and tested information security plan should become equally as rare.
Data breach investigations move quickly and facts change over time. This piece was written before it was learned that hackers likely gained access to the Target payment network — and the cardholder data stored there — through an email phishing attack at an HVAC vendor. What kind of network access do your vendors have? How are security assessments conducted? The Target incident demonstrates that any vendor — no matter how insignificant — with access into a network can create a vulnerability that can be exploited. Third-party risk assessments are as important as PCI assessments.
Cynthia Larose chairs the privacy and security practice at Mintz Levin Cohn Ferris Glovsky and Popeo PC and is a certified information privacy professional.