Target Corp.’s board of directors shot back at an advisory shareholder firm who recommended the ouster of 70 percent of them for their perceived lack of preparation for and inadequate response to Target’s data breach late last year.
In a letter to shareholders filed with the US Securities and Exchange Commission, Interim Chair Roxanne Austin asked for the reelection of all board members during its shareholder meeting on June 11. She said the board “recognizes the importance of its oversight responsibilities in [cybersecurity]” and took actions to address cyber crime before the holiday-season data breach exposed 40 million customer payment-card data and personally identifiable information of another 70 million customers.
The actions, according to Austin, included investments in network security professionals and technology, data security training for employees and operating a security operations center to review suspicious activity. More than 300 employees are devoted to information security, she added. And the retailer is a founding member of the National Cyber-Forensics & Training Alliance.
Nevertheless, Target suffered the worst retail data breach ever and has since started an “end-to-end review of its network security and is moving toward chip-and-PIN technology for credit card processing,” Austin said.
“The board is conducting a broad examination of Target’s risk oversight structure, which will include an examination of the role of senior management, reporting structures and board oversight,” she said.
Late last month Institutional Shareholder Services said in a report it recommended the removal of Austin as well as Mary Minnick, Anne Mulcahy, Derica Rice, Calvin Darden, Henrique De Castro and James Johnson “for failure to provide sufficient risk oversight.” These board members comprise Target’s audit and corporate responsibility committees.
ISS said the committees should have been aware and closely monitored the risk of a data breach and potential impacts on brand reputation and value.
“We want to assure you that the board takes its oversight responsibilities seriously and we recognize the importance of Target addressing these information security issues in the most effective manner possible,” Austin concluded.