The New York Times reports that almost a year after the Target data breach was discovered, a federal judge has ruled that banks, lenders, and credit card companies can move forward with their lawsuits against the Minnesota-based retailer.
This ruling has huge implications for IT contractors because it potentially increases the cost of a data breach for your clients and further clarifies that businesses can be sued for their faulty data security even if the breach was caused by a flaw in third-party software.
In this article, we'll look closely at this new ruling, going step-by-step to show you how your professional liabilities have changed.
Data Breach Lawsuits: Why Are Banks Suing Target?
After its infamous data breach, Target was sued by numerous consumers and banks. Consumers sued the retailer for damages related to potential identity theft, but why did banks sue Target?
For years, financial companies have complained that they unfairly carry the financial burden of data breaches. After a breach, banks are forced to…
- Reimburse consumers for fraudulent charges.
- Reissue credit cards for their customers.
The costs are significant. A typical credit card costs $5 to $10 to make, which means that a breach affecting 45 million consumers could cost $450 million for banks to clean up.
These numbers aren't hypothetical. Fox Business reports that two months after the hack, credit unions and banks already paid $200 million in costs related to the Target breach. After a number of banks sued Target, federal courts decided to combine all these lawsuits into one case (a common practice). It was this combined case that was just ruled on.
Target hasn't been found guilty. Rather, the judge simply ruled that the company can be sued, saying that there is enough evidence to carry on with the lawsuit. But this preliminary ruling opens the door for more lawsuits.
Now that a federal judge has ruled that banks can seek damages from businesses that have been hacked, we could see a significant increase in the number of data breach lawsuits and the total cost of breaches for businesses and IT consultants.
What This Means for IT Consultants
To understand how this ruling affects IT consultants, you'll need to understand the two reasons which led the judge to rule Target could be sued:
- Mistakes that led to insufficient security against data hackers.
In his memo, Judge Paul Magnuson pointed out that Target…
- Ignored warnings from FireEye (its threat-detecting software).
- Turned off key security features.
- Failed to properly protect its network where it allowed third-party contractors access.
In other words, the judge ruled that Target should have done more and made mistakes in carrying out its data security.
In the IT risk management world, we refer to these two mistakes as errors and omissions (hence the name for Errors and Omissions Insurance).
Businesses face significant risks from third-party contractors and software. When a business allows a contractor to access its network, it can expose private data to more breaches if the business doesn't properly quarantine the contractor's access. Cyber criminals were able to install malware on Target's network after hacking an HVAC contractor that had access to the company's network.
In data security, you're only as strong as your weakest link. The ruling in the Target data breach reminds us how true that is. A third-party contractor's weak security, or a flaw in a malware detection service, could lead to multiple lawsuits filed against your clients.
To learn more about protecting your business from IT lawsuits, make sure to read about Professional Liability Insurance for IT professionals.