Privacy Attorney Assesses Incident Response
David Navetta
The breach at Target stores that may have affected as many as 40 million credit and debit card account holders is a watershed moment that could greatly raise awareness of cybersecurity risks, says privacy attorney David Navetta.
"It's a watershed moment because of the high-profile nature of the Target and the size of the breach," says Navetta, a partner at the Information Law Group. "... It will raise [breach] awareness because people often think of hacking situations online or losing your credit card information at e-commerce sites. But now, here we have a situation where people are physically going into the store, using their card ... and their data is being taken."
The high-profile incident could serve as a catalyst for more organizations in all business sectors to develop robust breach response plans, Navetta says in an interview with Information Security Media Group.
"That said, a plan before a breach can take you only so far," he says. "Every breach is a unique creature, and provides a lot of curve balls. ... And you can never anticipate [everything], even with the past planning."
Target hasn't shared details about the breach beyond what it reported Dec. 19 - that U.S. point-of-sales transactions conducted between Nov. 27 and Dec. 15 were likely compromised (see Target Breach: What Happened). The retailer fessed up only after media reports of the breach.
Notification Timing
Navetta says he suspects that the delay in reporting might have been justified because Target was in a midst of an investigation to determine what went wrong.
"They probably had to go out with the best information that they had perhaps because this became a public event," he says. "They should continue with their investigation and make sure they understand the root cause of this breach. They should eliminate any vulnerabilities that may exist that allowed the breach to occur. And they should get a full picture of the actual scenario in terms of what was exposed and who was exposed and also finally confirm that it's no ongoing."
In the interview, Navetta:
Discusses the impact of the breach on the debate over whether Congress should enact a national breach notification law; and Explains why offering breach victims free credit monitoring is not necessarily effective as a tool to stop charges from appearing on customers' invoices. (This interview was conducted before Target announced it would offer free monitoring to certain affected customers.) Addresses lessons all types of organizations could learn from the Target breach.Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He's also is a certified information privacy professional.