Retail security experts from Lieberman Software and HP Security Voltage commented late today on the news of Target agreeing to pay $10 million to settle the class action lawsuit from their 2013 data breach.
Philip Lieberman, CEO of Lieberman Software (www.liebsoft.com):
Fines such as these provide strong motivation for corporate boards to prioritize changes in the organizational behavior of employees and the evaluation/implementation of security technologies that are effective rather than cheap or default choices. Real noninsurable costs prove the real worth of IT security rather than the security theater put on by many companies.
George Rice, Senior Director of Payments, HP Security Voltage (www.voltage.com):
Unfortunately, there continues to be a large and growing market for stolen personal information, such as credit card numbers and account information. And as long as there is a value on this data, thieves will continue to improve the sophistication of their attacks, making retailer and all consumer facing businesses vulnerable. The best approach is to protect sensitive information with data-centric security, such as high performance tokenization and encryption. With data-centric security, the sensitive information is protected so that even if a breach occurs the hackers cannot use it.
Retailers are taking note. They understand that the brand and reputational damage that these breaches impart often outstrip the hard costs. The smart retailers are looking at ways to protect themselves even in the case of a data breach. That’s the kind of protection data-centric security provides.
This ruling is only one piece of the overall damage done by this kind of breach. There are the hard costs associated with the breach and the more intangible costs such as brand and reputation damage. Retailers are very much aware of these costs and understand the importance of protecting sensitive data through the use of advanced methods such as data-centric security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.