Boards need to have a data breach action plan ready for implementation because there is too much a stake.
Retail giant Target has given an important gift to the governance community this holiday season – a reminder that boards need to have a data breach action plan ready because there is too much at stake if it happens to you.
Last week, Target publicly revealed that it had experienced a data breach that compromised the credit and debit card information of 40 million customers who made purchases at its stores from Nov. 27 to Dec. 15. As of Dec. 24, Target was still trying to determine exactly how the breach occurred, but had indicated that it involved a sophisticated malicious software attack that infected the card-swiping devices at its stores.
The company’s attempts to deal with the incident have had mixed results, mainly because the timing of the breach – during the heat of the Christmas shopping season – couldn’t have been any worse. Here’s some of what Target has had to contend with:
- Reputation damage from negative publicity from one of the largest breaches in history
- Reputation damage and lost revenues from customers viewing Target as an unsafe place to shop
- Several states and individual customers filing class action lawsuits
- Angry shareholders as analysts cut price estimates for Target stock
- Cost of enlisting third party companies to help find and eliminate cause of the breach
- Cost of possible lawsuits from third parties hurt by the breach (banks seeing reimbursement for replacing credit and debit cards)
Of course, issues connected to the breach other than these may arise in the future. To get beyond this incident, Target’s board will have to make a very visible effort to show they have addressed the risk of additional data breaches.
How prepared is your company for a data breach? Data security has been forecast as a major concern for boards this year and next. Experts suggest many things that can be done, but it is the board that must make the final decisions about what is best for each individual company. Starts that conversation today.