If we can learn anything from the $10 million settlement Target reached last month to resolve the class-action suit brought against it by customers who were victims of the retailer’s 2013 data breach, it’s that we still haven’t learned anything about how to improve security from breach after breach after breach. Even worse, we’re not really trying—we’re too busy attempting to calculate and shift around the costs and arguing about whether they’re too low.
Those costs matter, but the numbers in the settlement are pretty meaningless when it comes to understanding the losses incurred by the Target breach. Given the scale of the attack—roughly 40 million payment card numbers were stolen—and the media attention it received, it’s not hard to understand why some reacted to the settlement sum as a “shockingly” small amount. But Target incurred a total of $252 million in expenses related to the breach, according to its latest SEC filing. The bulk of losses associated with payment card breaches are not necessarily borne by the people whose credit cards are compromised—the ones who stand to benefit from this settlement. Often those costs land on the banks and credit card companies that have to cover the losses and replace the stolen cards. Those parties are not included in last month’s settlement, but a group of them was permitted to move forward with a suit against Target late last year.
Even the SEC filings offer an incomplete picture of the costs of data breaches. In an analysis of the Target, Sony, and Home Depot breaches published in March, Benjamin Dean at the Columbia School of International and Public Affairs found that after tax deductions and insurance reimbursement, the cost of the breach was $105 million, equivalent to roughly 0.1 percent of Target’s 2014 sales. The costs were even lower for Home Depot ($28 million, or 0.01 percent of 2014 sales) and Sony (between $15 million and $35 million, or 0.9 to 2 percent of Sony’s projected 2014 sales and revenue), according to Dean’s calculations.
“This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed,” Dean writes. Of course, it’s also possible to interpret these numbers (if you choose to take them at face value) as telling a more cheerful story, in which large-scale data breaches are not actually catastrophic, and the theft of 40 million credit card numbers does not automatically translate into mountains of costly fraudulent activity. (After all, the theft of credit card numbers by itself is not harmful unless they can be used to steal money, and Target says the breach has been linked to “low levels of fraud.”)
But arguments about whether we overreact or underreact to data breaches and overspend or underspend on information security miss the larger point: that we still don’t know how to defend against these incidents. We’re so busy worrying over who pays how much to whom for these breaches that we fail to actually dig into why the breaches happen and what measures might have prevented them.
Instead we fixate on these very malleable cost numbers because we worry that they’re indicative of how little we—and in turn the companies that store our data—care about computer security. But improving data security isn’t just a matter of caring (or spending) more. We also need to know what defenses work. Sure, it would be great to see companies investing more in security—but only if the things they invest in actually work. Spending more money does not automatically equate to stronger security. So for all the attention it’s garnered, the $10 million figure is far less interesting and important than the section of the Target settlement that deals with specific new lines of defense for the retailer.
Under the “non-monetary relief” section of the settlement, Target agrees to implement four new security measures and maintain them for at least five years. These include appointing a chief information security officer, maintaining a written information security program, maintaining a process to monitor for information security events and to respond to such events determined to present a threat, and providing security training to Target employees.
The individual items on the list are hardly groundbreaking—and of course, activities like hiring a CISO or writing a security program or instituting a training curriculum can fall anywhere on the spectrum from hugely effective to utterly worthless, depending on implementation. But the articulation of such a list in a data breach settlement is notable all the same. It’s a step, albeit a small one, toward trying to make some concrete judgments about what constitutes due diligence when it comes to information security. We need to be able to distinguish between the negligent, who never bothered to secure their data, and the unlucky, who took security seriously but were targeted by talented and dedicated adversaries.
The risk with any such list is that other companies will take it as license to implement those measures and nothing more. For the most part, though, the security practices Target has agreed to are sufficiently open-ended to allow for considerable ambiguity around what it would mean to do the bare minimum and still meet them. That ambiguity may make it harder for companies to hide behind that list should they do a lousy job implementing the practices. But it will also make it harder for the companies to figure out how to implement them well. It’s also unclear where this list comes from or whether it’s supported by any evidence. Do companies with CISOs and written plans have better security? Does employee training have any impact?
Dean suggests that governments intervene to change the incentives companies face, but first they might want to help answer those and other questions about the effectiveness of different security controls, using both their own internal records of security incidents and their ability to encourage (or compel) data sharing from private entities. Helping defenders figure out what to spend their money on is just as important as encouraging them to spend more money. But this means changing the way we think about fixing data breaches, and not relying on court cases and settlement fees to straighten them out. We’re so focused on data-breach economics and cost calculations that we hardly think about the deeper security issues underlying the design and impact of defensive technologies. After all, it’s difficult to incentivize good security when we don’t even know what that looks like.