Tag Archives: Settlement

Why Do We Still Have Cyber Breaches?

Evan Schuman wrote an opinion piece in Computerworld yesterday that I found very interesting.

Neimans suffered a credit card breach in 2013 that would be considered small by today’s standards.  Initially they reported that a million cards were compromised;  later that number was reduced to about 375,000.  About 9,000 of those cards were used for fraud.

The company settled a class action lawsuit against them for the breach for about one and a half million dollars.  That translates to about $4.20 per customer.  After 4 years.  After taking out the lawyer’s fees, it leaves about $1.00 per consumer affected.

If not enough people apply for a piece of the pie, Neimans gets to keep whatever is leftover.

In the settlement, Neimans talked about all the changes that they made since the breach –

  • They hired a CISO.  Apparently, until the breach, Neimans, a $5 billion retailer, did not have an executive in charge of cyber risk.
  • They hired some additional cyber security people.  It doesn’t say how many or what they are doing.
  • They are reporting about cyber risk to the C-Suite and the Board now.  More frequently.
  • Neimans installed chip credit card terminals in their stores now.

So, if you think about it, after 4 years Neimans’ insurance carrier paid out a million+ dollars, they hired a few more people and they are talking some at the C-Suite level.

There were, of course, other costs.  Neimans had to hire lawyers to defend them.  They likely had to pay fines to their banks.  They may have lost some business, but in general, the costs are likely pretty modest – especially considering that they are a $5 billion concern.

I am glad that they hired a CISO and a security team.  That is likely a good thing, but should not have required a breach to make it happen.

Now, of course, before executives get too excited about this, compare this to Home Depot, who recently announced that they had spent $300 million – so far – recovering from their breach.

So it appears to be a mixed bag and getting breached certainly is a distraction for businesses, for years afterward.  Depending on the business, more or fewer customers will leave after a breach (depending on how painful it is for the customer to move, in part).

So at least right now, there is no strong incentive for businesses to be very proactive and that is pretty much what we are seeing.

If consumers want this to change, they will have to vote with their wallets and pocketbooks.  If businesses saw a consistent 25% or 33% drop in revenue after a breach and that revenue didn’t come back in a couple of months, that might change the equation, but until that happens with some consistency….

I did see a statistic recently that said that 20% of businesses hit by ransomware go out of business.  Now that is a compelling number.  Apparently, getting your data encrypted is a bigger risk that losing your customers credit cards.  The stores and banks understand this equation.  While it is expensive to credit people for fraudulent transactions and issue new cards, it is less expensive than losing business.  In this case, the banks and the businesses both lose out, but it stops the consumers from getting out their pitch folks and torches and doing some serious damage.

Imagine what would happen if consumers had to pay if their accounts were breached?  For one thing, it would likely mean that people would use their credit cards a lot less.  Since that means a whole lot less spur of the moment purchases, the stores really don’t like that option.

It is an interesting situation.  For the most part, everyone has settled in and hunkered down for the duration.  No one likes the status quo, but they like the alternatives even less.  That goes for both customers and businesses.

One thing to consider, however, before I put this to bed

The cost to businesses of the theft of intellectual property on an annual basis dwarfs the entire credit card fraud bill.  And, for the most part, insurance only pays a tiny part of that cost. Most of the cost is unknown (often the theft is not even discovered for years), uninsurable and in some cases, unrecoverable from.  Consider that for a moment.  For businesses, this is a much bigger incentive for not getting breached.

Pretty interesting.

Information for this post came from Computerworld.


FTC Settles With Asus Over Security Claims

Asus is an international manufacturer of all kinds of computer and networking equipment.

The FTC, in this case, was not upset with Asus for making hardware that was buggy and not secure, thereby exposing customer’s information, but rather representing that their routers had numerous security features that could protect users from unauthorized access and hackers when it was buggy and not secure.

In fact, under section 5 of the FTC act, as the Wyndham Hotel chain discovered, they could probably have brought an action in either case, but it is much clearer that saying it was secure when it was not is deceptive.

According to the FTC,

ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.

The press release goes on to talk about some of the vulnerabilities and the fact that Asus did not address them in a timely or effective manner and did not notify consumers of the vulnerabilities.

Hopefully, this will act as a warning to manufacturers of Internet of Things devices that they better maintain reasonable security or the FTC will explain to them that they should.

In the agreement, Asus agreed to create a security program, have that program watched by the FTC for the next TWENTY years, to notify consumers of security flaws and workarounds for those flaws until they are patched and let the FTC audit them every two years during that period.

For those in the IoT space, doing what is in this agreement without being told will likely keep them out of the cross hairs of the FTC.  The FTC is not expecting IoT devices to be bug free, but they are expecting manufacturers to be responsible.

Manufacturers should consider themselves warned.


The FTC press release on the Asus settlement can be found here.

Target Settles Yet Another Breach Claim

Target has agreed to pay $39+ million to banks and credit unions who had to reissue cards as a result of the breach of 40 million cards in late 2013.   This still has to be approved by the judge in the case.  An earlier settlement for a lower amount was dismissed by the judge as too low.  Target also agreed to pay plaintiff’s legal fees of not more than $20 million.  The banks have said that they spent more than $200 million for losses and reissuing cards.

Target has already agreed to pay Visa $67 million and shoppers another $10 million.

There are still several class action lawsuits not settled including shareholder lawsuits, an FTC investigation and probes by state Attorneys General.

Last week Target said that it has spent $290 million on costs related to the breach.  It is not clear if this new $39+ million plus $20 million in legal fees is included in that number.  The $290 million is offset by $90 million in insurance payments, meaning that the breach only cost them $200 million out of pocket.  They get to count that as a loss against income, so assuming they have a 33% tax burden (just a guess),  that brings the total down to a piddly $135 million.  Plus, possibly, yesterday’s announcement and whatever it costs them to settle the remaining lawsuits plus lost business plus the distraction for executives over the last two years – so far.

Occasionally I hear people say that they are not worried about a breach because they have cyber liability insurance.  While the SCALE of the costs is likely different for other companies, the ratio is likely the same.  For Target, SO FAR, insurance will likely cover less than ONE HALF of their net costs, and likely significantly less depending on how much the remaining lawsuits cost them.

While Target’s stock price is actually  up from pre-breach values, their balance sheet has not recovered.

Their sales are basically flat over 2013 and 2014 at around $73 billion, but their net income is off a little bit.  Their operating profit was down between 2013 and 2015 by over a billion dollars and  their net income for the year ending Jan 31, 2015 was negative $1.6 billion vs. a positive $2.99 billion for the year ending Feb 2, 2013.

And of course, this is far from over.

Information for this post came from Yahoo Finance and Reuters.

Banks Fighting Back Against Retailers In Breaches

The WSJ is reporting that the bankers who were impacted by the Target and Home Depot breaches are fighting back.

Usually, Mastercard and Visa negotiate a deal with the retailer who was breached and then dole out the money to the banks.  The money seems to go to the big banks with the small banks being left out.

Earlier this month Target agreed to a deal with Mastercard to pay $19 million to cover the banks costs from the breach.  Visa, it is assumed, will negotiate their own deal.  Usually, part of this deal is for the banks to agree to give up their right to go after the merchants themselves.  The banks have gone to the judge and said that they are not willing to do that.

To help understand why, the small banks are mad as hell and not going to take it any more, to use an old quote.  A survey of 535 banks with assets below $1 billion revealed that nearly 75% of them did not receive a dime in reimbursements for breaches between 2009 and 2014.  NOT. ONE. DIME.  At the same time, all banks with assets above $50 billion were reimbursed.

Breaches are a bigger problem for small banks because they don’t have the economies of scale.  A big bank can issue a new card for 3 bucks.  It costs the small banks 10 bucks, for example.

The Chicago Patrolman’s Federal Credit Union has only 16,000 Visa cards in circulation.  Last year, they suffered $80k in fraud losses.  In the first quarter of this year, they had $55k in losses. That is hard for a small bank to swallow.  In a previous breach they suffered $150,000 in losses and received $1,000 in reimbursement.

This fight is likely to get ugly before it gets done.  One option for the small banks would be to decline to participate in the $19 million settlement, which I think they legally can do.  If history is any indicator, that might mean that they forgo getting that $1,000 check.

What it also means is that it is likely to get uglier for Target and Home Depot.  It could mean “death by a thousand cuts” where they are defending themselves against a whole bunch of lawsuits.

This is all speculative, but Target was likely thrilled to settle for $19 million when the banks said that they spent over a half billion.  If this winds up going to trial, which I doubt Target or Home Depot would ever allow – even if they had to give the banks a lot more money – it would reveal details that these retailers would rather keep quiet.

It also means that the breach stays in the public’s mind longer.

What this also means is that the days of businesses who are breached settling with the banks for a penny on a dollar or less may be over.

All very interesting – stay tuned as this plays out.

Then Target has to deal with Visa.  There isn’t even an offer on the table and given what is going on in court right now, I doubt there will be one until this is settled.

For any organization that collects NPI, this means the stakes are being raised.  Be smart.  You cannot guarantee that you won’t be breached, but, at least make it a challenge.





Target Agrees To $10 Million Fund For Breach Victims

UPDATE:  KARE11 in Minneapolis is reporting that if you include attorney’s fees and other costs, Target will be on the hook for around $25  million  (see article) and that payments could begin as early as April 30th.

NPR is reporting that Target has agreed to set up a $10 million fund for victims of last year’s credit card breach.  The agreement still has to be approved by the judge.  Individual victims could get up to $10,000.

The agreement says that Target will appoint a chief information security officer (I am surprised they don’t have one), create a formal information security program and train employees.  None of this is earth shaking.

What is earth shaking is that victims will be able to be reimbursed for:

  • unauthorized and unreimbursed credit card charges
  • Time spent addressing charges
  • Fees spent to hire someone to fix their credit report
  • Higher interest rates on accounts
  • Credit related costs like buying a credit report
  • costs to replace IDs like SSNs or phone numbers

Victims will have to provide a reasonable documentation.

Target is still having hard times after the breach, recently announcing it will close all 133 Target Canada stores laying off 17,000 employees.  Earlier this month they laid off another 1,700 employees and cancelled 1,400 open positions.

The reason why this agreement is important is that it sets a precedent that breached businesses are responsible for protecting information and are responsible for victim’s costs for dealing with the after effects of a breach.

For the most part, up until now, businesses said that they would offer you credit protection and besides that, all the other costs were your responsibility.  After all, the credit card companies and banks eventually credited your account, returned overdraft charges and such.

This precedent may also mean that businesses could be liable for the effects of other, non-credit card, stolen information.

What is not clear is how or if this affects other suits pending, such as the ones the banks have initiated to recoup their costs of replacing credit cards.