Tag Archive: cyber

Lessons From the War Over the Target Data Breach

Published by
Craig Newman

Craig Newman

The dust settled recently on another chapter of the Target Corp. data breach litigation. Although the five shareholder derivative lawsuits filed against Target’s officers and directors have been dismissed, they underscore the critical oversight function played by corporate directors when it comes to keeping an organization’s cyber defenses up to par. While the ink isn’t quite dry on the court papers, it’s time to start reflecting on the lessons of the skirmish.

In the midst of the 2013 holiday shopping season, news leaked that hackers had installed malware on Target’s credit card payment system and lifted the credit card information of more than 70 million shoppers. That’s almost 30 percent of the adult population in the U.S.

Predictably, litigation was filed, regulatory and congressional investigations commenced, and heads rolled. Banks, shareholders, and customers all filed lawsuits against the company. Target’s CEO was shown the door.

And Target’s directors and officers were caught in the crossfire. In a series of derivative lawsuits, shareholders claimed that the retailer’s board and C-suite violated their fiduciary duties by not providing proper oversight for the company’s information security program, not making prompt and accurate public disclosures about the breach, and ignoring red flags that Target’s IT systems were vulnerable to attack.

The four derivative cases filed in federal court were consolidated (one derivative lawsuit remained in state court) and Target’s board formed a Special Litigation Committee (SLC) to investigate the shareholders’ accusations. The SLC was vested with “complete power and authority” to investigate and make all decisions concerning the derivative lawsuits, including what action, if any, would be “in Target’s best interests.” Target did not appoint sitting independent directors but retained two independent experts with no ties to the company—a retired judge and a law professor. The SLC conducted a 21-month investigation with the help of independent counsel, interviewing 68 witnesses, reviewing several hundred thousand documents, and retaining the assistance of independent forensics and governance experts.

On March 30, 2016, the SLC issued a 91-page report, concluding that it would not be in Target’s best interest to pursue claims against the officers and directors and that it would seek the dismissal of all derivative suits.

Minnesota law, where Target is headquartered, provides broad deference to an SLC. Neither judges nor plaintiffs’ are permitted to second-guess the SLC members’ conclusions so long as the committee’s members are independent and the SLC’s investigative process is ‘adequate, appropriate and pursued in good faith.” By these standards, U.S. District Judge Paul A. Magnuson recently dismissed the derivative cases with the “non-objection” of the shareholders, subject to their lawyers’ right to petition the court for legal fees.

Target isn’t the only data-breach-related derivative case filed by shareholders against corporate officers and directors. Wyndham Worldwide Corp.’s leadership faced derivative claims relating to three separate data breaches at the company’s resort properties. After protracted litigation, the derivative claims were dismissed in October 2014, in large measure because Wyndham board’s was fully engaged on data security issues and was already at work bolstering the company’s cybersecurity defenses when the derivative suit was filed. A data-breach-related derivative action was also filed against the directors and officers of Home Depot, which remains pending.

Despite the differences between the Target and Wyndham derivative suits, both cases contain important lessons for corporate executives and sitting board members.

  1. Treat data security as more than “just an IT issue.” Boards must be engaged on data security issues and have the ability to ask the right questions and assess the answers. Board members don’t know what they can’t see. Developing expertise in data security isn’t the objective; rather, it’s for directors to exercise their oversight function. Board members can get cybersecurity training and engage outside technical and legal advisors to assist them in protecting their organizations from data breaches.
  2. Evaluate board information flow on cybersecurity issues. How are board members kept up-to-date on data security issues? Are regular briefings held with the chief information officer (CIO) to discuss cybersecurity safeguards, internal controls, and budgets? Boards might also consider appointing special committees and special legal counsel charged with data security oversight.
  3. Prepare for cyberattacks in advance. Boards should ask tough questions about their organization’s state of preparedness to respond to all aspects of a cyber-attack, from reputational risk to regulatory implications. Get your house in order now, and not during or after an attack. Not surprisingly, multiple studies—including the Ponemon Institute’s 2016 Cost of Data Breach Study—suggest that there is a correlation between an organization’s up-front spending on cybersecurity preparation and the ultimate downstream costs of responding to a breach.
  4. Decide whether and when to investigate data breaches. Before hackers strike, boards must decide whether and when to proactively investigate the breach, wait to see if lawsuits are filed, or wait to see if regulators take notice. Regardless, boards should be prepared to make this difficult decision, which will establish the tone of the company’s relationship with customers, shareholders, law enforcement, regulators, and the press.
  5. Develop a flexible cyber-risk management framework. Cyber-risk oversight isn’t a one-time endeavor, nor is there a one-size-fits-all solution. The threat environment is constantly changing and depends, in part, on a company’s sector, profile, and type of information collected and stored. While cyber-criminals swiped credit card data in the Target and Wyndham cases, the threat environment has escalated to holding organizations hostage for ransomware payments and stealing industrial secrets.

Cybercrime is scary and unpredictable. It poses risks to a company’s brand, reputation, and bottom line.  Board members are on the hot seat, vested with the opportunity and responsibility to oversee cybersecurity and protect the company they serve.

Craig A. Newman is a litigation partner in Patterson Belknap Webb & Tyler LLP and chair of the firm’s Privacy and Data Security practice. He represents public and private companies, professional service firms, nonprofits institutions and their boards in litigation, governance and data security matters. Mr. Newman, a former journalist, has served as general counsel of both a media and technology consortium and private equity firm.

New Target Ruling Places Your Company’s Cyber Oversight in the Crosshairs

Published by

A recent discovery ruling in the Target Corp. data breach litigation has raised the stakes for corporations and their officers and directors when faced with a cyberattack. The ruling, issued on May 27, 2015 by Magistrate Jeffrey J. Keyes, requires Target to disclose details of similar breaches between 2005 and 2010, including the time frame for the attack, the methods used to access information, measures the company considered and instituted to prevent future breaches, and the extent of the financial fallout.

The Target breach grabbed headlines following the 2013 holiday season as news leaked that hackers had installed malware in Target’s security and payments system and captured the credit card information of approximately 70 million shoppers. All too predictably, a series of lawsuits followed that have been consolidated before a federal judge in Minnesota.

This discovery ruling—the most recent development in the Target data breach cases—opens the door to greater scrutiny of corporate cybersecurity decisions and focuses on how past breaches were handled by both senior management, and importantly, by corporate boards.

While the ruling technically applies only to the cases brought by the financial institution plaintiffs in the Target case—banks that had issued the now-compromised credit cards—plaintiffs can be expected to seize upon this ruling and use it as a tactic to argue for similar discovery in other data breach cases. Of particular note are the consequences in class actions and in shareholder derivative suits, where the conduct of corporate leaders is front and center. The ruling opens the door to tough questions about corporate behavior: how were past breaches handled? Were the breaches adequately remediated? Were reasonable internal controls put in place to manage future cyber risks? And, perhaps most importantly, were “red flags” or early warnings of the breach ignored?

Cyberattacks are only becoming more brazen and more prevalent, and data breach litigation is on the rise. Plaintiffs in these suits will use the most recent Target ruling to argue that a company’s actions need to be evaluated not only with respect to the existing breach but also with respect to past, or even merely attempted, breaches.

The decision also serves as a reminder of what companies should already be doing. Specifically, there are at least three steps companies should take with respect to their cybersecurity, if they have not already done so.

First, companies should have a data incident response plan in place before a breach occurs. A company’s plan should take into account what kinds of data need to be protected, who is likely to try to steal or acquire that data, and who the relevant stakeholders are in the event the data is lost or stolen. Companies should also have their outside counsel and data forensics teams selected and on speed dial.

Second, companies should evaluate their insurance needs for cybersecurity issues. A standard commercial general liability (CGL) policy may ultimately cover some data breach claims, but it could require time and money to establish that coverage, a lesson Sony learned the hard way after North Korean hackers infiltrated its systems. Sony lost its coverage dispute with its CGL carrier at the trial court and settled the dispute before the appeal was heard. A specialized cyber policy can help avoid a situation like Sony’s. In addition, public companies should consider what disclosures they make to investors about cybersecurity risks in light of their insurance coverage.

Third, knowing that plaintiffs in other data breach cases will likely seek discovery of prior breach incidents, companies must adopt and document clear policies that outline the steps being taken to protect sensitive data, along with their responsibilities and plans for disclosing breaches. They should clearly define the roles of senior management and directors and specify the frequency with which security policies are updated.

Cyberattacks are not going away. Companies that proactively adopt sound cybersecurity policies and practices will find it far easier to defend themselves when their businesses come under attack.

Craig A. Newman is a partner at Patterson Belknap Webb & Tyler LLP and chair of its Privacy and Data Security Practice Group. Scott Caplan is an associate in the Privacy and Data Security Practice Group at Patterson Belknap Webb & Tyler LLP.