It is getting even more difficult to become a director at Target.
Recently, Institutional Shareholder Services (ISS), a proxy adviser, suggested that seven of 10 directors at the retail giant be removed from office because the board of directors did not do enough to prevent a massive data breach.
The Target breach late last year led to the theft of personal information, including the names, addresses, phone numbers, and e-mail addresses of up to 70 million customers, InsideCounsel reported. As a result of the breach, estimates in fraudulent charges were as high as $240 million to $2.2 billion, according to a report from the Congressional Research Service. In addition, there has been speculation that the Target breach might have been preventable.
ISS wants the Target directors removed who were assigned to manage risk, and wants the company shareholders to remove them. An annual meeting is scheduled for June 11.
"It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders," ISS wrote in statement quoted by The Wall Street Journal. In response to the breach, Target took “reactionary” steps after the fact, such as hiring a new chief information officer.
The move by the ISS “further highlights” risk oversight responsibilities – especially related to data breaches – by boards of directors, according to Ronald Breaux, head of the Privacy and Data Security group at Haynes and Boone, and who recently spoke to the Bank of America Private Client Group on cyber-security and cyber loss prevention.
“Cyber-security is an enterprise-wide issue,” Breaux told InsideCounsel in an interview on Thursday. “It’s not just an IT issue.”
Boards are going to become more active in addressing cyber-risk management, as a result of the Target breach, he said. That means the board will look more carefully at what controls are in place to prevent and detect data breaches. They need to ask what the vulnerabilities are, and whether a company has an incident response plan in place. If a breach takes place, the board has to be involved with any investigation and find out what happened, how it was fixed and ensure it does not happen again, Breaux said.
“The material impact of a cyber-incident is much, much greater than people have historically believed,” Breaux said.
And when it comes to risk oversight, it is a primary responsibility of a board, which needs to ask the right questions and make sure the right people are in place, Breaux added.
He would also like to see a federal breach notification law put into place, rather than the current patchwork of 47 different laws found in different states in the United States.
And when it comes to the role that general counsel have, recent breaches at Target and Neiman Marcus “offer portentous reminders to boards and C-suites that the [GC] …must play a ground-floor role in forging a data breach response plan,” advises Attorney Richard Levick in InsideCounsel.
In a recent blog post, Avivah Litan, an analyst at Gartner, said, the Payment Card Industry (PCI) “security standard has largely been a failure when you consider its initial purpose and history. Target and other breached entities before it, such as Heartland Payment Systems, were all PCI compliant at the time of their breach. These companies spent untold sums of money annually certifying compliance to the payment card networks and their acquiring banks but it didn’t stop their breaches.” In the case of Target, the fraudulent charges were the result of the PCI theft.