Many of the facts surrounding the Target breach still remain unclear, even as details continue to emerge publicly. We still don’t know what the final tally of breached organizations will be, but the list keeps growing. In addition to who else has been breached and the impact on their customers, another factor we need to consider is how Target's business partners may be impacted. In a data breach on any retailer, card issuers, payment processors, insurers, suppliers and other parties may face substantial loss as the investigation and recovery costs ripple through these networks.
One thing that became clear last week is that is that the lawsuits and investigations will not wait for the final forensics analysis. Probes are already well underway as Senators Claire McCaskill (who heads the subcommittee on Consumer Protection, Product Safety, and Insurance) and Jay Rockefeller (who chairs the Committee on Commerce, Science, and Transportation) issued a letter asking Target for some details about the nature of the breach. And, according to the Los Angeles Times, about a dozen lawsuits have already been filed, including one charging Target with negligence through claims that “the retailer was warned in 2007 by a security expert about weaknesses in its point-of-sale systems.”
Perhaps Target was negligent, perhaps it wasn’t. Eventually, the facts will tell. However, it’s just a matter of time before Target’s payment partners are dragged into these lawsuits. Attorney Cynthia Larose of the law firm Mintz Levin told Reuters that she wouldn’t be surprised to see Target’s partners listed as defendants in many of the lawsuits already filed and that “these class-action lawsuits start to bring everyone in at some point.” Others quoted in the Reuters story "Target data breach could be costly for payment partners" agreed.
Currently, in breaches like this, it’s banks and card issuers that pay for the card replacement costs, at least in the beginning. Replacement costs range from $5 to $10 per card. Then there is also the additional customer service costs which may include longer branch hours or increased phone support. Some of these costs may be recovered through the retailer’s insurers. According to an article in BizJournals, Target is estimated to have up to $165 million in policies. A recent Advisen article explores the impact a series of major retail breaches could have on the insurance industry, clearly indicating that insurers are concerned their policies may leave them suffering considerable loss. Ben Beeson of Lockton, an insurance brokerage firm, is quoted in the article as saying, “Very broad policies are available for not a lot of money. The industry is signing up for a lot of risk. There is a worry for when that big systemic loss does happen.”
While supply chain partners appear not to have been impacted by the Target breach, they may have cause to worry in other cases. There are examples of technology companies being breached with the specific intent of harming one of their customers or business partners, most prominent being the attacks on RSA and Bit9, which were categorized as “supply chain hacks”. With increasingly integrated supply chains, hackers that have gained access to a retailer's network may be able to compromise sensitive partner data such as shipping schedules, pricing, inventory levels, etc.
The diagram below summarizes the possible impact to the ecosystem of a data breach at a retailer. But the widespread impact of a data breach is not limited to retailers alone. A breach at any company can impact its business partners. All of this points to why partner security – how well an organization protects its extended enterprise – is so important. Today, organizations are asking their partners how they manage risk. They want to know if they are engaging in good risk management practices, if their business continuity and disaster recovery plans are adequate, and how they work to protect their data.
But these checks are proving inadequate. Just as more enterprises are moving towards continuous security monitoring of their own networks, it’s time this same level of increased diligence is implemented for the extended enterprise.
As these lawsuits and investigations move forward, we don’t know how all of this will end and who will ultimately be held responsibly, but I can say that it’s going to be messy and it’s going to pull a lot of partners into the mix.