Alert - Cybersecurity Compliance: Target's Settlement Hints at Minimum Standards

October 9, 2017

       This past May, Target Corporation (“Target”) settled with the attorneys general of 47 states for violating various state consumer protection and privacy laws stemming from two incidents in which its card payments processing and customer information repositories (together the “Cardholder Data Environment”)[1] were compromised – first, in late December 2013, and again in early January 2014.[2] Memorialized as the Assurance of Voluntary Compliance (the “AVC”), the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program that, at a minimum, satisfies the criteria excerpted below.[3] While these remedial measures were prescribed solely against Target, businesses collecting comparable personal information[4] from consumers would be well-advised to refer to the AVC for guidance when formulating their own policies and procedures; especially in light of how often amended and relatively unproven the aforementioned data security and notification laws are in California.[5]

       One item of particular note in the AVC is the general qualification that the information security program be “reasonably designed to protect the security, integrity, and confidentiality of personal information collect[ed] or obtain[ed] from consumers.”[6] What measures are considered “reasonable” depends upon the company’s size and complexity, nature and scope of activities and sensitivity of the information collected from its customers. An independent third-party assessor should be retained to assist in this determination, in addition to the appointment of a designated risk officer with relevant experience in information security.[7] As a full-time employee, the risk officer should be tasked not only with supervising the security program’s implementation and maintenance, but also with ensuring the CEO and board of directors remain informed of the company’s current risk posture, evolving risk environment and compliance with California’s Unfair Competition Law (the “UCL”), Reasonable Data Security Law (the “RDSL”), and Data Breach Notification Law (the “DBNL”). 

Administrative Safeguards

  • Develop written, risk-based policies and procedures for auditing vendor compliance with the Security Program.
  • The Security Program shall be designed and implemented to ensure appropriate handling and investigation of “Security Events” involving Personal Information.[8]
  • Make reasonable efforts to maintain and support the software on its networks, taking into consideration the impact an update will have on data security in the context of the company’s overall network and its ongoing business and network operations, and the scope of the resources required to address an end-of-life software issue.
  • Maintain encryption protocols and related policies that are reasonably designed to encrypt customer information that the company stores on desktops located within the Cardholder Data Environment, and shall encrypt the data elements of customer information, as well as any other data elements required by state law to be so encrypted that are stored on laptops or other portable devices, or transmitted wirelessly or across public networks
  • Comply with the Payment Card Industry Data Security Standard (“PCI DSS”) with respect to its Cardholder Data Environment and any system component that would be reasonably believed to impact the security of the Cardholder Data Environment if compromised. 

Specific Safeguards

Segmentation:

  • Take reasonable risk-based steps to scan and map the connections between its Cardholder Data Environment and the rest of its computer network in order to determine avenues of traffic and to identify and assess potential penetration vulnerabilities to the Cardholder Data Environment.
  • Cardholder Data Environment shall be segmented from the rest of the company’s computer network.

Access and Control Management:

  • Implement and maintain appropriate risk-based controls to manage access to and use of individual accounts, service accounts and vendor accounts, including strong passwords and password rotation policies.
  • Evaluate and as appropriate, restrict and/or disable all unnecessary network programs that provide access to the Cardholder Data Environment and/or to any system component the intrusion of which would reasonably be expected to impact the security of the Cardholder Data Environment.
  • Adopt a reasonable and risk-based approach to integrate two-factor authentication into individual accounts, administrator accounts, and vendor accounts.

File Integrity Monitoring:

  • Deploy and maintain controls including, but not limited to, a file integrity monitoring solution, designed to notify personnel of unauthorized modifications to critical applications or operating system files within the Cardholder Data Environment

Whitelisting:

  • Deploy and maintain controls, such as, for example, an application whitelisting solution, designed to detect and/or prevent the execution of unauthorized applications within its point-of-sale terminals and in-store point-of-sale servers.

Logging and Monitoring:

  • To the extent technically feasible, implement reasonable controls to manage the access of any device attempting to connect to the Cardholder Data Environment, through hardware or software tools such as firewalls, authentication credentials, or other such access restricting mechanisms.
  • Maintain an appropriate system to collect logs and monitor network activity, such as through the use of a security information and event management tool.

Change Control:

  • Develop and maintain policies and procedures with respect to managing and documenting changes to network systems.

Development:

  • Take steps reasonably designed to appropriately maintain the separation of development and production environments.

Payment Card Security:

  • Implement, where appropriate, steps designed to reasonably manage the review and, where reasonable and appropriate, the adoption of improved, industry‑accepted payment card security technologies relevant to the company’s business and Cardholder Data Environment, such as chip and PIN technology.

Devalue Payment Card Information:

  • Make reasonable efforts to devalue payment card information, including, but not limited to, encrypting payment card information throughout the course of a retail transaction at a company retail location.

       Business owners, consultants and counsel need to bear in mind that the AVC should serve only as a general benchmark against which to structure and compare their own internal information security programs. Indeed, a number of existing protocols and proposed legislation establish and dictate specific guidance on this matter.[1] Most notably, former California Attorney General Kamala Harris recognized the Center for Internet Security’s “Critical Security Controls” as a “…minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the [Critical Security] Controls that apply to an organization’s environment constitutes a lack of reasonable security.”[2] The AVC, therefore, alludes to the general manner in which the Office of the Attorney General intends to interpret and enforce the CIS Controls. Against such a fluid legislative and regulatory backdrop, specific questions and concerns regarding information security compliance should be directed to counsel familiar with the practice area. 


[1] As defined in the AVC, the “Cardholder Data Environment” includes those technologies that store, process, or transmit payment authentication data, consistent with the Payment Card Industry Data Security Standard.

[2] California’s attorney general agreed to a separate settlement agreement which incorporated the substantive provisions of the AVC, and differed only minimally in form and reference to applicable state law.

[3] A complete copy of the AVC can be accessed here: https://oag.ca.gov/system/files/attachments/press_releases/Final%20Judgment%20and%20Permanent

%20Injunction.pdf.

[4] In California, “personal information” refers to: “[a]n individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (i) Social security number; (ii) Driver’s license number or California identification card number; (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (iv) Medical information; (v) Health insurance information.” (CAL. CIV. CODE § 1798.81.5(d)(1)). 

[5] Although considered progressive when originally enacted in 2003, California’s data protection and notification laws remain in constant flux, amended most recently during the state’s 2015 congressional session. See generally, DBNL, ch. 543, sec. 2.3, § 1798.82 (2016); RDSL, ch. 96, sec. 1, § 1798.81.5 (2016).

[6] AVC pt. III, para. d.

[7] The qualified risk assessor “…shall be: (a) a Certified Information Systems Security Professional (“CISSP”) or a Certified Information Systems Auditor (“CISA”), or a similarly qualified person or organization; and (b) have at least five (5) years of experience evaluating the effectiveness of computer systems or information system security.”

[8] See supra note 4.

[9] See generally, AB 1186 (2017); SB 327 (2017).

[10] Att’y Gen. Kamala D. Harris, California Department of Justice, California Data Breach Report, 2012–2015, at 30 (2016) (emphasis added) available at https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf.

 

 


BUCHMAN PROVINE BROTHERS SMITH LLP provides its clients, professional advisors and its friends with up-to-date reports on recent developments in business, real estate, employment, estate planning and taxation. 

Authored by:

Stephen-Bela Cooper
T: (925) 944-9700
scooper@bpbsllp.com

CIRCULAR 230 DISCLOSURE – Pursuant to rules and regulations imposed by the Internal Revenue Service, any tax advice contained in this communication, including any attachments, is not intended or written to be used, and cannot be used, for the purpose of (1) avoiding tax penalties under the Internal Revenue Code or (2) promoting, marketing or recommending to another person any transaction or matter addressed herein.

The summary which appears above is reprinted for information purposes only. It is not intended to be and should not be considered legal advice nor substitute for obtaining legal advice from competent, independent, legal counsel. If you would like to discuss these matters in more detail, please feel free to contact us so that we can provide the clarification and resources you need to make effective decisions.