Card Issuers Are Foreseeable Victim in Target Data Breach Cases

In an important decision on standing in data breach cases, the United States District Court in Minnesota issued an Order last week denying Target’s attempt to dismiss all claims brought by financial institutions.  The card issuing banks complaint alleges Target (1) was negligent in failing to have sufficient security in place to prevent hacking of customer data; was (2) violated and was negligent per se for violating Minnesota’s Plastic Security Card Act (the Act); and (3) is liable for negligent misrepresentation in failing to advise the plaintiffs of the insufficient security measures.

Target moved to dismiss the negligence claims on the grounds it had no duty and did not breach any duty to the plaintiffs because there was no special relationship between the parties, and the harm if any, was an unforeseeable result of a third party’s (the hackers’) conduct.  The court disagreed and found that plaintiffs had sufficiently alleged that, whether premised upon the hackers’ conduct or Target’s own alleged disabling of a security feature and failing to react to warning signs in its system, the harm to the card issuers was a foreseeable consequence.  In addition, the court found the existence of a duty was bolstered by legislative intent under the Act, which was designed to protect customer data associated with cards, such as those issued by plaintiffs.

With respect to the omission claim, i.e. Target’s purported failure to advise of security deficiencies and its disabling a security feature, the court found that plaintiffs had adequately pled Target’s knowledge of facts unknown to plaintiffs and specific claims that Target had misled the adequacy of its security in public representations (including Target’s online Privacy Policy and Target’s agreement to comply with Visa and MasterCard Operating Regulations).  However, the court noted that plaintiffs had failed to specifically allege reliance on the omissions, and, instead, only asserted they had suffered injury.  In light of the need to specifically plead the element of reliance, the court granted Target’s motion on this claim, with leave to for plaintiffs to amend their complaint to add facts/claims of reliance on the omissions.

With respect to the statutory claims, the Act prohibits the retention of cardholder data by persons or businesses conducting business in Minnesota and, following a data breach involving violation of the statute, requires reimbursement of costs to the card issuer.  The court found Target’s argument that the Act only applies to Minnesota transactions to be without merit, stating “it applies equally to Minnesota companies’ data retention practices with respect to in-state and out-of-state transactions.”.

Target’s other arguments on the statute are more interesting and create a debate between the parties as to whether the hackers’ theft of data from the cards’ magnetic stripe (though allegedly stored by Target servers prior to transmission to the hackers) versus the theft of data maintained by Target itself result in a violation of the Act regarding retained data.  While the resolution of that issue will eventually be determined if the case is adjudicated on the merits, the court found that, for purposes of the present motion, plaintiffs allegation that Target stored the information for longer than permitted under the Act, which increased the scope of the breach, was sufficient to state a claim upon which relief can be granted.

In sum, the claims pass muster (at least at the pleading stage), and the financial institutions have standing to proceed.

Image courtesy of Flickr by Mike Mozart

A Brief Summary of “Risk Management for Replication Devices” (Draft NISTIR 8023) by the NIST Computer Security Division

Last month, the Computer Security Division of the National Institute of Standards and Technology (NIST) released a draft publication titled “Risk Management for Replication Devices” (Draft NISTIR 8023). The full draft publication is here (with an excellent security risk assessment table and flowchart at the end).  The draft is of particular interest to individuals who are responsible for the purchase, installation, configuration, maintenance, disposition, and security of replication devices (RDs), including acquisitions; system administration; information system and security control assessment and monitoring; and information security implementation and operations.

Here is a summary of the key provisions of the draft:

  • RDs include copiers, printers, three-dimensional (3D) printers, scanners, 3D scanners, and multifunction machines when used as a copier, printer, or scanner. Even today, many organizations may not have an accurate inventory of RDs or recognize what functionality each device possesses, especially with respect to information (data) storage, processing, and transmission. This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on RDs.  RDs are often connected to organizational networks, have central processing units that run common commercial operating systems, store information internally on nonvolatile storage media, and may even have internal servers or routers.
  • The publication advises that before placing RDs into operation, configure each RD securely and implement appropriate security controls. There are numerous secure installation and configuration practices to consider and implement. Each device may have unique capabilities and security options.

Some practices to consider (with associated NIST SP 800-53 security controls in parentheses) include:

  • Disable unused physical and network ports (CM-7).
    • Implement physical security, e.g., locks (PE-3).
    • Whitelist/blacklist specific MAC addresses, IP addresses/address ranges, or email addresses
      (AC-18, SC-7).
  • Disable unused physical and network ports (CM-7).
    • Implement physical security, e.g., locks (PE-3).
    • Whitelist/blacklist specific MAC addresses, IP addresses/address ranges, or email addresses
      (AC-18, SC-7).
  • Configure image overwrite capability.
    • Enable immediate image overwrite (MP-6).
    • Schedule regular off-hours overwrite with three-pass minimum (MP-6).

As for disposal of the RDs, sanitize RDs when they are no longer needed by an organization or will be repurposed or stored by doing the following (with associated NIST SP 800-53 security controls in parentheses):

  • Wipe/purge or destroy nonvolatile storage media (MP-6).
  • Change or reset passwords and other authentication information, e.g., user pins (IA-5).
  • Reset configurations to factory default settings (CM-6).

Organizations are encouraged to review the draft publication during the public comment period and to provide feedback to NIST no later than Oct. 17. Email comments to sec-cert@nist.gov, or mail the National Institute of Standards and Technology, Attn: Computer Security Division, Information Technology Laboratory, 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-8930.