On Thursday, TARGET announced that it had been the victim of a cyber attack in which hackers stole data on credit and debit cards of as many as 40 million customers who made purchases at the height of the holiday shopping season. The incident was first reported the previous day by the website KrebsOnSecurity.com.
TARGET announced that the card data was stolen in real time from point-of-sale terminals in the company’s US stores between November 27 and December 15. Although the company’s forensic investigation is ongoing, the company has already ascertained that the breach compromised customer names, card numbers and expiration dates, and CVV code numbers.
Companies like TARGET that are victimized by hackers increasingly find themselves on the business end of class-action lawsuits alleging violations of state unfair competition and privacy laws, as well as contract- and negligence-based claims. And victim companies are also increasingly the target – no pun intended, this time – of investigations by the FTC and state Attorneys General.
The true costs of responding to attacks like this go beyond the immediate expense associated with the forensic investigation, customer notifications, and the provision of free credit monitoring services or other forms of identity theft assistance. The true costs include millions of dollars spent defending these lawsuits and enforcement actions. And those costs are growing.
The TARGET attack is a reminder to companies both large and not-so-large that they need to take proactive steps to review their data privacy and security before a breach occurs, both to reduce the risk of a breach and to reduce the litigation exposure if a breach does occur. That kind of proactive review – including legal, technical, and administrative measures – should be conducted under the auspices of outside counsel, to ensure the protection of the attorney-client privilege.
Data privacy and security class-action suits have become the ambulance-chasing of the 21st century, with class-action lawyers scouring the web for reports of data breaches and alleged privacy violations and then racing to the courthouse to file complaints. But the race to the courthouse in this case would have made Usain Bolt proud, as the first class-action suit was filed within hours of TARGET’s announcement.
After that fast a race to the courthouse, I wouldn’t be surprised if the ambulance chasers needed an ambulance themselves. Or if they at least pulled a hamstring. I bet they have something for that at TARGET.