Target’s multistate settlement ($18.5MM) for their 2013 data breach is the strongest evidence yet that Data Governance and Security is impacting organizations in every vertical and geography. This is the largest settlement amount we’ve seen yet for a data breach, and corporations should take note of its significance. The terms of the settlement go well beyond just monetary compensation, but read like an instruction manual for the creation of a comprehensive and defensive data security program.
Specifically the settlement requires Target to:
- Develop, implement and maintain a comprehensive information security program;
- Employ an executive or officer responsible for executing the program;
- Hire an independent expert to conduct a security assessment;
- Maintain and support data security software on the company's network;
- Segregate consumer data from the rest of the network;
- Take steps to control network access, including password rotation policies and two-factor authentication.
This list provides step-by-step instructions for organizations seeking to proactively protect sensitive data and prevent a breach. Corporations that process personally identifiable information (PII), and other sensitive data, that do not have a robust data governance program inclusive of these items may face some hard questions should a breach occur.
Luckily, cyber and data protection experts can help in-house legal, risk, compliance, IT and information security teams tackle these challenges. True cyber resilience and data security is the result of strong proactive efforts including information governance, system auditing, secure network building and vulnerability testing and remediation. Companies now have more than 18 million reasons to seek out a partner who understands data from all of these angles, and can help conduct data security due diligence utilizing Target’s settlement as an example.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.