Over the holiday season, Target suffered a highly publicized data breach affecting between 70 and 110 million customers, one of the largest breaches of retail data in history. This personally identifiable data was hacked, according to Target executives, by malware installed on point-of-sale devices in Target’s checkout lines. The malicious software — KAPTOXA — captured data stored on the magnetic stripes of credit and debit cards and is believed to be the work of Russian hackers.

The Department of Homeland Security (DHS) is working in conjunction with a cyber security company, iSIGHT Partners, to investigate the breach. According to Tiffany Jones, a senior vice president at iSIGHT, “It’s not necessarily the specific malware components individually that make this new or sophisticated, but it’s really the size or scale of this operation at large that makes this unique.”

The scale of Target’s data breach has also attracted attention from Capitol Hill, and Target has agreed to testify before members of Congress. Representative Mike Lee [R-NE], Chairman of the House Commerce, Manufacturing, and Trade Subcommittee, said the hearing would focus on data breaches and their effects on consumers. Meanwhile, Senator Menendez [D-NJ] has argued that the Federal Trade Commission (FTC) should have the authority to levy fines against companies that do not adequately protect consumer data.

However, questions exist as to whether the FTC has the authority to investigate and bring an enforcement action against Target or any other companies. Under the FTC Act, the Commission is charged with preventing “unfair or deceptive acts or practices that may affect interstate commerce.” The FTC has approached enforcement under the Act in two ways, focusing on both the “deceptive” and “unfair” prongs. Under this argument, the FTC has brought over 40 data security cases since 2000.

Last year, the FTC brought suit against Wyndham Hotels & Resorts, alleging that the company’s “poor data security practices had led to three data breaches.” The Wyndham data breach resulted in fraudulent charges on consumer accounts and the export of consumer credit card account information.

Wyndham has challenged the FTC’s authority to police companies’ data security policies and practices, arguing that the FTC Act does not grant the agency the authority to regulate cyber security. Wyndham’s attorneys have also argued that the FTC’s process of setting standards, largely through consent orders, is an insufficient form of notice. The litigation, currently underway in federal court, could prove very important to consumers and companies alike. If the court finds the FTC does not have the authority to regulate data security, the question then becomes, who does?

–Rebecca Loegering

Image Source

One Response to The Target: Protecting Consumers’ Data

  1. Bradlee Edmondson says:

    This is a very interesting issue, and indeed thousands of information security and privacy professionals are watching.

    The parties in the case recently submitted a joint supplemental brief [PDF], which succinctly outlines their positions and areas of contention. Notably, both the sufficiency of notice and the FTC’s interpretation of its own statutory authority are subject to deferential standards of review, and a finding on either ground (or both) might not prevent the agency from coming back with a slightly adjusted process or statutory interpretation argument in a later case.