Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Banks Suing Target Make New DemandsAsk Court to Force Release of Details on Breach, Security
U.S. banks and credit unions that filed a lawsuit against Target Corp., seeking to force the retailer to reimburse them for costs associated with its massive 2013 data breach, now want the court to require Target to disclose more details about its security practices.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
In a motion filed July 24, plaintiffs' attorneys asked the court to force the retailer to unseal certain documents. They argue that Target's "blanket" confidentiality designation for documents tied to its security processes and 2013 card and data breach is unfounded. And they claim Target is trying to hide behind confidentiality of so-called "sensitive" information about its intellectual property and security practices to avoid humiliation.
Attorneys for the plaintiffs also argue that the financial institutions involved in the class action are being denied access to vital information that would help them make more informed decisions about whether to accept settlements, or push forward with their lawsuit in an effort to recoup breach-related losses and expenses.
In May, card issuers rejected Target's $19 million proposed breach expense settlement with MasterCard.
Justification for Sealing Documents
Two cybersecurity attorneys not involved with the case say Target's request to keep sensitive information sealed could be valid, because any information linked to the retailer's security practices, network infrastructure and handling of cardholder data could potentially cause serious damage if made public.
"Good information security depends on denying hackers information about the system and controls," says Ron Raether of the law firm Faruki Ireland & Cox. "Something as basic as to the type and software version of a router can be of value to hackers. Making public such details could erode Target's existing security profile and put more consumers at risk."
And attorney Chris Pierson, who now serves as the chief security officer of Viewpost, a payments network provider, notes that Target may have disclosed certain documents and details about its breach to its own legal counsel, making those documents privileged and, therefore, sealable.
"In order to prevent the disclosure of certain documents, the party would have to claim a privilege of some sort - attorney-client privilege, trade secret or other sensitive intellectual property, confidential document, or some sort of PII [personally identifiable information] that should be released only under certain controls," Pierson says. "To the extent documents detailing how Target's security and infrastructure was or is designed have been sealed, these documents would be highly sensitive and subject to tight limitations and control by the court. The release of unredacted network diagrams or controls could jeopardize the security of the Target environment."
Representatives of Target, as well as attorneys representing the banking institution plaintiffs in the case, declined to comment about the litigation.
A hearing will be held Aug. 12 to consider the plaintiffs' motion to have documents unsealed. On Sept. 10, the court will consider whether to grant the lawsuit class-action status.
Making the Case
Plaintiffs' attorneys note that as part of the proposed settlement with MasterCard, which ultimately was rejected, banks and credit unions would have had to release their claims under the MasterCard Account Data Compromise program, along with all claims in the class-action suit.
"To the extent Target again attempts to engineer a card brand settlement that similarly aims to obtain for Target, outside the court's supervision, a full release of its potential liabilities related to the breach, including through this litigation, financial institutions should be permitted to evaluate what they are being asked to give up," the plaintiffs' motion says in arguing for Target to release more information.
MasterCard did not respond to Information Security Media Group's request for comment about the failed settlement with Target. In May, however, MasterCard said it was working to "resolve the matter."
And a Visa spokesperson tells ISMG that Visa is not pursuing a settlement with Target related to its card breach. Instead, "Visa continues to work with Target and its acquiring financial institutions regarding any potential liability under its Global Compromise Account Recovery program" the spokesperson says.
In May, Visa modified its GCAR program to ensure that smaller card-issuing institutions are compensated more for card re-issuance and other breach-recovery-related expenses (see Why Visa's Paying Banks More after Breaches).