In Wake Of Target Ruling, Will Retailers Scale Back Security So They Can Plead Ignorance?

targetLast week, a federal court in Minnesota gave the go-ahead to a lawsuit filed against Target by several banks trying to claim damages from the massive 2013 payment systems breach. Now, some worry that the court’s decision could lead retailers to go with simpler, perhaps less secure, systems rather than risk missing a red flag on a more complicated one.

The concern, a few security and payment system experts tell the Christian Science Monitor, is that Target is being sued for its alleged failure to notice early signs of a breach that could have saved billions of dollars.

If the banks are successful, a hacked retailer could be held responsible for missing any blip on their security radar. The more complex and layered a system, the more blips, though many of them will be false alarms.

So might retailers be tempted to dumb down their alert systems so that they can later plead ignorance if a hack occurs?

“There is a huge security negative to this kind of ruling,” explains John Pescatore, director of emerging security threats at the SANS Institute. “It reinforces the ‘better not to know, than to know and not do anything’ [mindset]. For way too long that was used as a reason not to do vulnerability scanning or penetration testing – a huge mistake.”

Christopher Pierson, general counsel and chief security officer at online invoicing and payment platform Viewpost, says the ruling’s stance that negligence might exist just because a security-alerting service wasn’t used aggressively enough highlights a lack of understanding of how companies deploy new security technologies.

In many cases, he tells CS Monitor that companies’ security programs use multiple layers of defense against attacks.

When new systems are put into place they must first have time to gather information into what constitutes normal networking behavior. To do so, they are often introduced on a learning or passive mode.

Because the systems in place at major companies can generate millions of alerts each day, companies may limit the kind of response features used to minimize issues for consumers.

Pierson says that while monitoring network events and logs can enable better security, requiring companies to monitor all of their logs all of the time could harm their ability to operate in the first place.

While we could possibly see a smaller company choosing to not upgrade its system so that it could eventually claim “We did the best with what we had,” we don’t imagine any retailer — and certainly not a major, national chain — deliberately scaling back its alert system.

That would only put a bigger target on the retailer’s back, as it would demonstrate the company knew about — and had the means to deploy — a better system but deliberately opted to not do so.

It’s one thing for a home gardener to find out after the fact that his flimsy wire fence wasn’t enough to keep out the gophers. It’s another for a deep-pocketed farm to tear down a multi-leveled animal repellent system and put in a flimsy wire fence.

One lawyer we spoke to agrees, saying that a retailer could end up being hurt more by choosing to scale back its security.

Having an inadequate system in place purposefully to avoid liability is totally unacceptable and any company that does so should be penalized, the legal eagle tells Consumerist.

Target ruling raises stakes for cybersecurity vigilance [The Christian Science Monitor]