Target’s access management failure continues to sting
March 27, 2014

The biggest difference between proactive security procedures and reactive ones can be directly tied to the financial damages that come with a major instance of data loss. Some firms will view privacy issues as rare and, as a result, decide to not pay much mind or invest in more advanced access controls to mitigate the worries. If the recent breaches that have hit the news teach nothing else, it is that reactive security measures will never be as efficient or safe as proactive ones.

The retail sector has been on the losing end of the cybersecurity battle for several months now, and some of the events that took place toward the end of 2013 continue to become more intense and heated, especially in the case of Target. Other retailers must view this type of news as a healthy reminder that privacy issues must be on the top of the priority list in the modern market, as it only takes one serious loss of information to be continuously challenged for months and years to come. 

Case in point
Computerworld recently reported that the latest goings-on in the Target breach arena include a new, and somewhat rare move from two banks that are working to hold the retailer and its security auditor responsible for damages incurred. According to the news provider, Trustmark National Bank and Green Bank N.A. have filed a lawsuit in a federal court in Chicago against Target and Trustwave, while the plaintiffs are also trying to make this a class action proceeding. 

As a reminder, the investigation into the breach revealed that Target and its constituents might have missed several red flags, some of which seem to indicate extreme negligence, that should have tipped off the vulnerability long before the attack actually occurred. In these instances, matters of Payment Card Industry Data Security Standards compliance move into the forefront of discussions regarding responsibility. 

The source explained that the PCI Security Standards Council have spoken out about the breach, and asserted that had the auditor and Target been compliant with the regulations, the breach could not have occurred. Additionally, Computerworld pointed out that large retailers are required to go through audits every year to ensure comprehensive compliance with the law and tight security. 

Not quite accurate
Studies have shown that PCI compliance does not necessarily mean complete immunity to breaches, and in the Target instance, previous litigation proceedings have indicated that the standards do not even fulfill commercially reasonable controls. Banks must understand that PCI compliance should be a priority, but is not the only procedure taken to protect data and systems from breach. 

Instead, more advanced solutions such as multi-factor authentication should be implemented in a timely fashion to shore up defenses in a more comprehensive manner. Whether the lawsuit will go in favor of the banks damaged by the event or the retailer and its auditor has yet to be seen. Still, financial institutions should take a lesson from this event and begin to transcend simple compliance, approaching more stringent security by their own standards.