On Wednesday, December 18, 2013 the Target breach had not gone public or viral yet.
However, Target’s hand was forced when an independent underground source confirmed Target had been breached after he bought a number of credit card account details from a well-known “card shop,” – an online merchant that deals reliably with stolen credit and debit cards.
On December 19 Target went public with the breach. In the meantime, banks were notified of fraudulent cards being made, and thousands-possibly millions-of cards were affected. We now understand up to 110 million customers could be affected by the breach at Target.
At the same time the Target breach was made public another retailer, Neiman Marcus, learned from financial industry sources that fraudulent credit and debit cards were traced and used at brick-and-mortar stores run by Neiman Marcus.
Neiman Marcus kept quiet about its fraudulent-card event until January 11.
Who did the right thing? Is there a risk management guideline that provides a blueprint for the anatomy of a data breach?
“Dragging out disclosure of a major incident can be a double-edged sword in the court of public opinion,” said Cynthia Larose, chair of the privacy and cybersecurity practice at law firm Mintz Levin.
It is not clear to corporations exactly how do you should go public: does it depend on the size and severity of the event? How does your team of experts inside and outside of the company determine the right strategy? Are they thinking about the enterprise or their personal liabilities for the companies they represent in reporting the breach? Or is there a personal ‘badge of honor’ in being the first to discover the breach?
“When you look at the state laws data breach notification requirements, most of those laws don’t set a firm timeline on notification. They use language like ‘most expeditious time possible,’ and ‘without unreasonable delay,'” Larose said. “Retailers could use this vagueness to wait on public reporting and notification of consumers.”
From these two very recent examples, it is not clear that one or the other judged the timing of its disclosure better.
It very much depends on the circumstances of each breach: Both the Target and the Neiman Marcus breach disclosures suggest a mid-December discovery, although the timings are almost a month apart.
According to Neiman Marcus, there was a lot of furious paddling under the water during the discovery period, while remaining calm above the surface.
The firm said in a statement: “We informed federal law enforcement agencies and are working actively with the US Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.”
“Most companies look for guidance from outside forensic and cyber experts including Secret Service and the FBI to help them determine if the containment and discovery process has reached the point of notification,” Larose explained. “Some state laws also allow for a delay in notification at the request of law enforcement and this can help keep the breach under wraps while an investigation is active to better pursue the criminals.”
The risk-management issue for both of these retailers is: What was discovered by each entity and when?
When to disclose a breach is shaped by factors such as the desire to contain liabilities, preservation of brand, maintaining consumer confidence and retaining shareholder value in the corporation.
There are general guidelines from experts managing the containment of a cyber breach. There are also public relation firms that do just that-guide the public eye on breach reporting and follow the team of experts as they contain the breach.
“Both retailers had full discretion to hold off on reporting their breaches,” said Mary Beth Borgwing, global executive director of cyber risk and CRO practices for Advisen. “In the case of the Target breach industry bloggers and media forced the hand of Target to go public and it went viral on December 19. Forty-six out of the 50 states have a data breach law on the books. Even for those four states that don’t have it, the best practice is to provide notice.”
Mary Beth is President of the Cyber and Risk Practice at Advisen. Mary Beth, a senior risk, insurance, and finance executive speaks and writes frequently on cyber risk management. Contact Mary Beth at [email protected].
