On May 23, the attorneys general of 47 states and the District of Columbia reached a settlement with Target Corporation of enforcement actions brought after a 2013 breach of the retail chain’s computer system. That breach famously compromised credit and debit card information of 40 million customers.
The headline that most commonly came out of this settlement is that Target agreed to pay $18.5 million to the states. This article is not about that penalty, because the more far-reaching aspect is the detailed obligations to ensure security that the state AGs have imposed upon Target.
To a degree, these measures resemble the requirements recently imposed on banks, insurance companies and brokerage houses by the New York Department of Financial Services. Taken together, the Target settlement and the New York regulations reflect a growing expectation among the states that companies take strong measures to safeguard their data and that of their customers.
Both the settlement and the regulations require the adoption of a formal information-security program that details administrative, technical and physical safeguards. While the Target settlement is directed to data regarding consumers and their credit cards, the New York regulations require financial institutions to protect all non-public information. This would include, for example, customer lists, vendor lists, computer source code and unpublished patent applications.
Both the settlement and the regulations require the appointment of an executive experienced in information security. That officer must advise both the CEO and the board of directors about the company’s security posture and risks. The regulations, more specifically, require this information security officer to report at least annually to the board of directors, including details of successful or unsuccessful efforts to gain unauthorized access to the company’s systems.
The settlement goes further than the New York regulations in requiring Target to scan and map the connections between its cardholder data environment (CDE) and the rest of its computer network and to segregate the CDE from the other parts of the network. To do so, Target must restrict or disable all unnecessary network programs that provide access to the CDE.
In addition, the settlement requires Target to deploy a file-integrity monitoring system that notifies personnel of unauthorized modifications to critical applications or to operating system files within the CDE.
Both the settlement and the New York regulations require an evaluation of the cybersecurity measures of vendors to ensure they comply with the company’s cybersecurity policy. The regulations limit this scrutiny to those vendors that maintain, process, or otherwise are permitted access to the company’s nonpublic information. Presumably, the settlement is meant to be limited in the same fashion, but its language is not clear on this point. The New York regulations pertaining to vendors do not go into effect until March 1, 2019. More...
The headline that most commonly came out of this settlement is that Target agreed to pay $18.5 million to the states. This article is not about that penalty, because the more far-reaching aspect is the detailed obligations to ensure security that the state AGs have imposed upon Target.
To a degree, these measures resemble the requirements recently imposed on banks, insurance companies and brokerage houses by the New York Department of Financial Services. Taken together, the Target settlement and the New York regulations reflect a growing expectation among the states that companies take strong measures to safeguard their data and that of their customers.
Both the settlement and the regulations require the adoption of a formal information-security program that details administrative, technical and physical safeguards. While the Target settlement is directed to data regarding consumers and their credit cards, the New York regulations require financial institutions to protect all non-public information. This would include, for example, customer lists, vendor lists, computer source code and unpublished patent applications.
Both the settlement and the regulations require the appointment of an executive experienced in information security. That officer must advise both the CEO and the board of directors about the company’s security posture and risks. The regulations, more specifically, require this information security officer to report at least annually to the board of directors, including details of successful or unsuccessful efforts to gain unauthorized access to the company’s systems.
The settlement goes further than the New York regulations in requiring Target to scan and map the connections between its cardholder data environment (CDE) and the rest of its computer network and to segregate the CDE from the other parts of the network. To do so, Target must restrict or disable all unnecessary network programs that provide access to the CDE.
In addition, the settlement requires Target to deploy a file-integrity monitoring system that notifies personnel of unauthorized modifications to critical applications or to operating system files within the CDE.
Both the settlement and the New York regulations require an evaluation of the cybersecurity measures of vendors to ensure they comply with the company’s cybersecurity policy. The regulations limit this scrutiny to those vendors that maintain, process, or otherwise are permitted access to the company’s nonpublic information. Presumably, the settlement is meant to be limited in the same fashion, but its language is not clear on this point. The New York regulations pertaining to vendors do not go into effect until March 1, 2019. More...
No comments:
Post a Comment