Why Target Is Negligent


Target tweeted “if you shopped at a Target store Nov. 27 – Dec. 15” you should check your credit card for suspicious activity.

According to Quicken, I shopped at my local Target store 87 times in 2013, so far. I shopped there five times during the period Target is warning us about, and I’ve been there five times since. My counts don’t include all the trips to Target my wife made (which is probably double mine).

I’m not concerned about potential fraudulent activity on my Visa. What concerns me is the same Visa card that I use at Target each week to buy baby wipes is also the credit card I use to cover automatic monthly payments for countless other services. What concerns me is all the time wasted updating payment information with dozens of websites, my dry cleaner, my gym membership, etc. Thanks a lot Target!

Target is now facing several lawsuits across the country. Plaintiffs will argue that inadequate or unreasonable security measures contributed to the hacking incident. Data security laws mandate organizations implement “adequate safeguards” to ensure privacy protection.

Target, like every large organization, constantly replaces outdated computers, servers, laptops, copiers, point-of-sales systems, and countless other types of electronic devices. Because retired equipment still contains sensitive data, organizations must have adequate safeguards for the entire process of IT asset disposition (ITAD).

“Safeguard” is a euphemism for internal control. There are two basic types of internal control: preventive and detective. A lock on a door is an example of a preventative control. An alarm system on that same door would be considered a detective control.

Both types of internal control are essential to having adequate safeguards.

Target should have no problem demonstrating it has preventative controls in place. For example, outsourcing ITAD to a qualified recycler should be considered a preventative control.

It is important to understand that outsourcing alone is not equivalent to having adequate safeguards. Having adequate safeguards also requires that Target have effective detective controls. Without effective detective controls, trusted insiders can take retired assets before the handoff to an ITAD vendor, before data is destroyed, and without anyone noticing.

A critical aspect of detective control is separation of duties. Organizations must minimize conflicts that create opportunities for theft and fraud. Security incidents go undetected when an organization relies on employees to self-report incidents. Naturally, employees tend to report self-serving interpretations, especially when facts could make them look bad.

Plaintiffs should see if Target has effective detective controls. If an organization cannot prove the whereabouts of 100% of its retired computers, how can it claim to have adequate controls in place?

Moreover, if an organization fails to detect any loss, fails to consider the loss a security incident, fails to conduct a formal investigation, or fails to disclose a potential breach, that organization is guilty of willful neglect.

Now, I’m not suggesting that a retired computer was directly responsible for the hack. We don’t know at this point.

What I am suggesting is that Target is negligent if it cannot demonstrate adequate safeguards, specifically effective detective controls for ITAD. That goes for any organization trusted with our personal data.

It should be extremely easy for plaintiffs to determine if Target can account for the whereabouts of 100% of its retired computers.

Target will be forced to defend against punitive privacy class actions. Eleven law suits have already been filed. If Target cannot demonstrate effective internal controls, ITAD could be the Achilles’ heel that results in a plaintiff lawyer’s dream come true.

Sorry Target, I’m not singling you out. I still love you and will be making my 88th trip on my way home from work.