Regulatory Issues
Some breaches goes way beyond the when and how bad the breach is and what agencies will get involved. The fear is not only about their own customers, clients and shareholders but from agencies like the SEC, FTC, FCC, CFPB and others alike. All have different agendas, regulations and standards on how they approach a cyber-breach situation. The major fear for the private sector is regulatory laws. What if they are not following federal regulatory requirements? This is a risk that some companies are not willing to take to share information about a threat they may have found. The agencies feared the most is the FTC and the SEC.
Federal Trade Commission (FTC) is a government agency that was initially “established to
…show more content…
This failure is what leads to their data security being breached twice more in less than two years. (Federal Trade Commission)
The FTC is not the only agency that has issued some kind of guidelines for organizations to follow when it involves data security. The latest data breaches involving retail giants like Target and Neman Marcus, the Payment Card Industry Council issued security guidelines that are stricter and are meant for any retailers, banks or credit card companies that process credit card transactions. Noncompliance of the security guidelines could result in fines. Many agencies have increased their oversight for security measures that companies are expected to follow and maintain. In 2011 the Security and Exchange Commission (SEC) released guidance for public traded companies regarding their obligation to release and disclose incidents of cyberattacks. (Clarke & Olcott)
Securing cyberspace is one of the most important and urgent challenges of our time. In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk. (Rockefeller, Menendez, Whitehouse, Warner, & Blumenthal)
Cybersecurity issues are not something just for the IT department to decipher and manage. Board of directors and
The effective governance of cyber-risk is part of comprehensive good governance because like mentioned earlier, data is one of the most important asset a company could have. Since data nowadays is typically stored on files in the systems of their computers or in their clouds, it is necessary for them to have a strong management of cyber-risk in order to prevent any mishaps that can occur and can cause damages to the company. Also, if a company is
Scholars are divided on the fundamental question of the Federal Trade Commission’s (FTC) adjudicative capacity under the FTC Act. The FTC uses a reasonableness standard and considers each company’s data security practices on a case-by-case basis. For more than a decade, the FTC’s enforcement of data security actions invoked under §5 of the Federal Trade Commission Act (FTC Act) resulted in consent decrees and settlements, subsequently scrutinized by practitioners as carrying as much precedential value as judicial opinions.
Legal actions are likely to be brought against organizations that have violated consumer’s privacy rights, or misled them by failing to maintain security for sensitive consumer information. Under, the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or other approved organization.
One of the largest examples of a technological privacy violation in history was the Target data breach of 2013. The Target Corporation is one of the leading innovators of the retail industry. They introduced the concept of designer partnerships, making them one of the leading clothing stores in the country (Corporate Target 1). Unfortunately, the company was targeted by Russian hackers shortly before the Christmas of 2013. In this hack, personal information, including customer names, mailing addresses, phone numbers, email addresses and credit card information, of seventy million people was stolen and used for fraud (Forbes 1). This has raised concerns over how well the company can ensure that their consumer’s privacy is protected.
According to a recent Travelers survey, identify theft, cyber security, and person privacy rank as the top concerns for most Americans. Forty percent of individuals who participated in the survey believe they were a victim to one of these heinous crimes (Survey: Cyber Risk, 2015). Companies are focusing attention on this topic and investing vast resources to combating these crimes. Questions arise regarding TJX’s role and responsibility to apprise stakeholders of a data breach. In 2008, TJX found themselves in the unenviable position of needing to address these questions and concerns. This paper explores TJX response to compliance problems, utilization of strategy, influence response and decision-making has on the stakeholders and corporate brand, and the possible effects on TJX.
On December 18, 2013, one of the security bloggers, Brian Krebs, posted in his blog that Target, one of the biggest US retailers, had suffered a massive data breach. The next day, Target announced that data from more than 40 million credit and debit card accounts had been stolen from its systems, and noting that they started a thorough investigation. Perhaps learning from Target’s mistakes, other organizations could achieve a goal of better protecting themselves and their customers’ information.
Walker, Russell. “Maxxed Out: TJX Companies and the Largest-Ever Consumer Data Breach.” Kellogg Case Publishing, 2013.
FTC first became involved with consumer privacy issues in 1995, when it promoted industry self-regulation. After determining that self-regulation was not effective, FTC began taking legal action under Section 5 of the FTC Act. Section 5 limits practices considered to be unfair to instances where, among other things, 1) the practice causes or is likely to cause substantial injury to consumers; (2) the substantial injury is not reasonably avoidable by consumers; and (3) the substantial injury is not outweighed by countervailing benefits to consumers or to competition. Since 2002, the FTC has brought over 50 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk. Most of these cases resulted in settlements and did not provide judicial decisions addressing the FTC’s authority to regulate the data security practices of companies which have suffered a data breach.
One of the first data breaches that personally affected me was the TJX data breach that happened in 2005-2006. At the time I was both an employee and shopper for the brand. The breach happened due to using a "weak Wired Equivalent Privacy (WEP) protocol instead of the stronger Wi-Fi Protected Access (WAP) protocol", not being up to date on PCI (payment card industry) compliance, and overall behind in security controls (Patrizio, 2007). TJX also did not have the technology in place to flag and monitor suspicious activity. This breach resulted in over 45 million credit and debit cards being compromised (Vijayan, 2007).
A recent increase in large scale data breaches has exposed a multitude of cybersecurity vulnerabilities that pose a definite risk to consumers (Lorio, 2017). In some cases, a data breach can distress an establishment so much that other organizations experience a backlash from the repercussions (Kosseff, 2011). The Equifax data breach of 2017 is a perfect example of this kind of event as it caused an overwhelming economic repercussion that affected other major corporations and more than 143 million credit card customers worldwide (Janakiraman, Lin, & Rishika, 2018).
Since 2005 a total 895,605,986 were breached and 4,745 DATA BREACHES have occurred. According to the former national coordinator for security, infrastructure protection for the United States, Richard Clarke, believes that companies can be put into two types those that have been breached and know it and companies that have been and just don’t know it yet. With so many cyber breaches and personal data being released into the wrong hands has many companies wanting to strike back on their own. While this idea may seem reasonable I believe that companies should have a cyber strategy such as identifying assets, outline a plan of action, develop partnerships, and train their employees.
All three companies suffered a breach of cyber security by hacking, which put customer personal and financial details at risk of being obtained and used for fraudulent purposes.
I have worked for Target for about 3 years now and one of the major challenges that I have seen the corporation face was the data breach in the company nationwide. There was a security breach into the database of Target on December 15, 2013 and the attackers had access to over 50 million customer’s information including names, addresses, phone numbers, passwords, debit and credit card information. Target is a large retail corporation that operates at least about 1,800 plus stores across the U.S. and they also operate online, and as much as the organization revenue grows it seems like it is hard for the corporation to comprehend that more money should be spent to ensure that the consumer data is protected. “In mid-December 2013, we learned
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
FISMA was enacted to significantly increase the state of security pertaining to electronic information and the computing systems that store and transmit such data. The act provides a broad structure for agencies to follow in order to safeguard