Banks Suing Target Make New Demands

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/banks-suing-target-make-new-demands-a-8438#

U.S. banks and credit unions that filed a lawsuit against Target Corp.,
seeking to force the retailer to reimburse them for costs associated with
its massive 2013 data breach, now want the court to require Target to
disclose more details about its security practices.

In a motion filed July 24, plaintiffs' attorneys asked the court to force
the retailer to unseal certain documents. They argue that Target's
"blanket" confidentiality designation for documents tied to its security
processes and 2013 card and data breach is unfounded. And they claim Target
is trying to hide behind confidentiality of so-called "sensitive"
information about its intellectual property and security practices to avoid
humiliation.

Attorneys for the plaintiffs also argue that the financial institutions
involved in the class action are being denied access to vital information
that would help them make more informed decisions about whether to accept
settlements, or push forward with their lawsuit in an effort to recoup
breach-related losses and expenses.

In May, card issuers rejected Target's $19 million proposed breach expense
settlement with MasterCard.

Justification for Sealing Documents

Two cybersecurity attorneys not involved with the case say Target's request
to keep sensitive information sealed could be valid, because any
information linked to the retailer's security practices, network
infrastructure and handling of cardholder data could potentially cause
serious damage if made public.

"Good information security depends on denying hackers information about the
system and controls," says Ron Raether of the law firm Faruki Ireland &
Cox. "Something as basic as to the type and software version of a router
can be of value to hackers. Making public such details could erode Target's
existing security profile and put more consumers at risk."

And attorney Chris Pierson, who now serves as the chief security officer of
Viewpost, a payments network provider, notes that Target may have disclosed
certain documents and details about its breach to its own legal counsel,
making those documents privileged and, therefore, sealable.

"In order to prevent the disclosure of certain documents, the party would
have to claim a privilege of some sort - attorney-client privilege, trade
secret or other sensitive intellectual property, confidential document, or
some sort of PII [personally identifiable information] that should be
released only under certain controls," Pierson says. "To the extent
documents detailing how Target's security and infrastructure was or is
designed have been sealed, these documents would be highly sensitive and
subject to tight limitations and control by the court. The release of
unredacted network diagrams or controls could jeopardize the security of
the Target environment."

Representatives of Target, as well as attorneys representing the banking
institution plaintiffs in the case, declined to comment about the
litigation.

A hearing will be held Aug. 12 to consider the plaintiffs' motion to have
documents unsealed. On Sept. 10, the court will consider whether to grant
the lawsuit class-action status.

Making the Case

Plaintiffs' attorneys note that as part of the proposed settlement with
MasterCard, which ultimately was rejected, banks and credit unions would
have had to release their claims under the MasterCard Account Data
Compromise program, along with all claims in the class-action suit.

"To the extent Target again attempts to engineer a card brand settlement
that similarly aims to obtain for Target, outside the court's supervision,
a full release of its potential liabilities related to the breach,
including through this litigation, financial institutions should be
permitted to evaluate what they are being asked to give up," the
plaintiffs' motion says in arguing for Target to release more information.

MasterCard did not respond to Information Security Media Group's request
for comment about the failed settlement with Target. In May, however,
MasterCard said it was working to "resolve the matter."

And a Visa spokesperson tells ISMG that Visa is not pursuing a settlement
with Target related to its card breach. Instead, "Visa continues to work
with Target and its acquiring financial institutions regarding any
potential liability under its Global Compromise Account Recovery program"
the spokesperson says.

In May, Visa modified its GCAR program to ensure that smaller card-issuing
institutions are compensated more for card re-issuance and other
breach-recovery-related expenses (see Why Visa's Paying Banks More after
Breaches).

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!