Data Breach Settlement Insufficient

Breaches, breaches everywhere but not a consequence to be found – until now.

Data Breaches Passe


The Target data breach settlement negotiated by Mastercard has been refused by the three largest participating banks

Data breaches are (almost) no longer newsworthy. Exploited companies publish bland notices to the community indicating a breach has been reported and they are cooperating with authorities. Cyber security experts investigate.  The exploited company publishes the boilerplate list of exploited vulnerabilities. Occasionally a CISO or CIO’s employment is terminated.  And so on.

People complain about credit card interest rates but don’t correlate that experience to data breaches. It turns out a cause of high-interest rates is the result of card issuers recovering the costs associated with credit card data breaches. And guess what? That cost of doing business matters to the card issuers. The tide is turning and the accountability for data breaches is going to shift.  In their own self-interest, the major banks are pushing back – and we will eventually benefit.

Big Banks Push Back

Citigroup, Capital One Financial Corp. and J.P. Morgan Chase & Co. have each rejected the $19 million settlement negotiated on their behalf by Mastercard with Target Inc. More than $350 million has been spent addressing all of the issues associated with the 40 million cards affected by the data breach. An untold number of dollars has been stolen by the thieves associated with the Target breach with an estimated 9 billion US lost to thieves industry-wide last year. Small card issuers receive only pennies on the dollar for their losses.  They get their money after the big firms get theirs.  In that context, it’s not surprising that the major banks behind the card issuers are taking a firmer stand.

But how much is enough and how much can Target afford to spend compensating these firms for their lax controls? At what point does the consequence pass beyond termination of a senior executives employment and affect the stockholders of a company? When they care – we’ll benefit.  Target reported net revenue of 72 billion dollars in 2014.  While the settlement figure might affect stock prices temporarily, it’s not going to have a lasting effect.  Hopefully, the banks can raise the stakes and make the settlement meaningful for Target’s stakeholders – so we benefit.

Top Down Urgency

The pragmatic decision makers with whom I work rarely find my more urgent recommendations compelling. Driving change in security and compliance practices can be challenging.  Finding the right ‘lever’ to influence decisions is what the work is all about.  The recent unclassified report to President Obama by the President’s Council Of Advisors On Science and Technology (PCA ST) entitled “Immediate Opportunities for Strengthening the Nation’s CyberSecurity” is going to significantly change the conversation. While there’s nothing in the report that’s going to startle any security professional, the authors have significant clout and the recipient definitely can influence change.

If I were to boil the entire paper down to a single statement, it would be “we need to build a culture of awareness and vigilance in to society and more specifically the commercial sector through existing governance models”.  The most compelling and relevant statement in the report is:

The President should strongly encourage independent regulatory agencies to adopt regulations that require self ­reporting of continuous ­improvement practices along these same lines. In particular, the Securities and Exchange Commission (SEC) should mandate, for publicly held companies, the disclosure, as investment risks, of cyber-security risk factors that go beyond current materiality tests

The wheels of government do move slowly – but they grind everything down to the same fine powder.  The Sarbanes-Oxley act drove significant change in the commercial sector.  Eventually this recommendation is going to blossom in to legislation.  Once the SEC (or equivalent federal agency) requires it, my pragmatic decision makers will embrace the need for fundamental change in much the same way they did Sarbanes-Oxley – and I’ll have fewer opportunities to promote challenging changes.  That’ll be a good day.