What security leaders need to know about the Target breach settlement

Translating security headlines into value for your organization is sometimes tricky.

For example, did the CEO of Target lose his job because of the breach?

Probably not (Do you really think the CEOs resignation from Target was due to security?). Bluntly, security was mostly cover and only a minor, if any, contributing factor. Low sales and a botched expansion into Canada played a larger role. Claiming, then, that Target “rightly” suffered and executives got punished is not only misleading, but it weakens your position as a security leader.

Target is again in the headlines with details on a consumer data breach settlement (link).

Over the last few days, I saw and heard some comments that the settlement reached last week was a good sign for security. A real win.

Was it?

We discussed it on the Down the Security Rabbithole podcast (listen here). Then I spoke with Shawn Tuma  (bio, blog, @shawnetuma) to get his take.

Shawn pointed out three things security leaders need to consider:

1. This settlement is for the consumer litigation. Most considered this a shot in the dark from the plaintiff’s standpoint. In virtually all previous cases, the lack of current demonstrated harm and claim of future harm leads to a quick granting of the motion to dismiss. Reaching a settlement is a huge victory for plaintiff’s lawyers. This signals movement in the tectonic plates of the law by obtaining a recovery for claims historically considered too speculative.

2. This is a brilliant settlement by Target. Individuals are required to submit claims of documented losses caused by the breach before they are entitled to recovery. Consider the complication of documenting your loss and directly tying it to the Target breach. Target seems reasonable by “settling” and paying up, and consumers that can demonstrate harm get compensated.

3. A win for the lawyers creates conditions for change. Class action litigation is viewed more as a vehicle for change than it is for recovery by injured “class members” who rarely get much of anything from it. This is a big winner for plaintiff’s data breach class action lawyers because it establishes a precedent for somebody paying out some noticeable money – not much in the big picture when compared with other class action lawsuits – but enough to prime the plaintiff’s lawyers’ collective pumps and make them want to keep trying.

How to discuss the settlement a security leader

Focus beyond the headline to consider what the settlement means for consumers, for Target, and for you as a security leader. As a security leader, your role is to create value. That means understanding the business and aligning assets and efforts with priorities.

That means this settlement is a win for security. The key is to reconsider what it means to win. It’s not a tool for leverage. This is a path for leaders to structure conversations and guide action. 

The Target consumer settlement is a model. It establishes criteria to demonstrate harm, a process to make the claim, and defines what people are entitled to. The success of the class action approach means more are likely. That means this is an executive and board level discussion.

Lead these conversations to be recognized as a security leader (and not just a technical resource).

Ultimately, the process of establishing and promoting criteria allows us to focus on the definitions of harm. The key is including the right balance of personal responsibility and factoring in the ‘cost of convenience.’

For now, speak softly on Target. Use the lessons to focus inward.

Place emphasis on using this as an opportunity to demonstrate value to other leaders, build the relationships we need to improve the ability of your organization to detect and respond to breaches. Keep yourself out of the headlines.