On May 23, 2017, it was announced that Target Corporation settled a multi-state investigation into Target’s 2013 data breach, which affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.
The announcements (e.g. Illinois and New York) explain that the multi-state investigation found that cyber attackers accessed Target’s gateway server through credentials stolen from a third-party HVAC vendor, and used the credentials to exploit weaknesses in Target’s computer system to access a customer service database, install malware on the system and capture customer data and payment card information.
The settlement agreement requires Target make an $18.5 million settlement payment and develop, implement and maintain a comprehensive information security program. Target must also obtain and submit an information security assessment and report from an independent, qualified third-party assessor within one year to verify Target’s compliance with the settlement.
Following is a summary of some of the information security requirements set out in the settlement agreement:
1. Information Security Program: Target’s information security program must be written and contain administrative, technical and physical safeguards appropriate to the size and complexity of Target’s operations, the nature and scope of Target’s activities, and the sensitivity of the personal information that Target maintains.
2. Executive Responsibility/Reporting: Target must employ a qualified executive or officer to be responsible for implementing and maintaining the information security program and for advising Target’s CEO and Board of Directors regarding Target’s security posture and security risks and the security implications of Target’s decisions.
3. Resources/Support: Target’s information security program must receive required resources and support.
4. Vendor Management: Target must develop, implement and maintain written, risk-based policies and procedures for auditing vendor compliance with Target’s information security program.
5. Incident Response: Target’s information security program must ensure the appropriate handling and investigation of security events involving personal information.
6. Software: Target must make reasonable efforts to maintain and support software on its networks.
7. Encryption: Target must maintain encryption protocols and related policies for encrypting certain kinds of personal information stored on certain desktop computers or on laptop computers or other portable computers or during transmission wirelessly or across public networks.
8. Segmentation: Target must segment its cardholder data environment from the rest of its computer network.
9. Assessment/Testing: Target must take reasonable risk-based steps to identify and assess potential vulnerabilities to its cardholder data environment and implement a risk-based penetration testing program to identify, assess and remediate penetration vulnerabilities within Target’s computer network.
10. Access Control: Target must implement and maintain appropriate risk-based controls (including strong passwords and password-rotation policies) to manage access to and use of network accounts.
11. Program Management: Target must evaluate and restrict or disable (as appropriate) unnecessary network programs that provide access to Target’s cardholder data environment or related computer systems.
12. Two-Factor Authentication: Target must adopt a reasonable, risk-based approach to integrate two-factor authentication for network accounts.
13. Monitoring Systems: Target must deploy and maintain controls to detect and report unauthorized modifications to critical applications or operating systems within Target’s cardholder data environment.
14. Application Whitelisting: Target must deploy and maintain controls to detect and prevent the execution of unauthorized applications within Target’s point-of-sale terminals and servers.
15. Access Controls/Logging and Monitoring: Target must implement reasonable controls to manage access by any device attempting to connect to Target’s cardholder data environment, and an appropriate system to collect logs and monitor network activity.
16. Change Control: Target must develop and maintain policies and procedures for managing and documenting network system changes.
17. Separate Environments: Target must separate its development and production environments.
18. Industry Standards: Target must implement steps to reasonably manage the review and adoption of improved, industry-accepted payment card security technologies relevant to Target’s business and cardholder data environment.
19. Devalue Payment Card Information: Target must make reasonable efforts to devalue payment card information, including by encrypting the information throughout the course of a retail transaction.
The required security measures are generally consistent with cyber risk management guidance issued by regulators and self-regulatory organizations. For example, see New York State Cybersecurity Regulation for Financial Services Companies, Guidance for Supply Chain Cyber Risk Management, Regulatory Enforcement Action Emphasizes Need for Information Security Governance Framework, Cyber Risk Management Guidance for Corporate Directors, Cybersecurity Guidance from Investment Industry Regulatory Organization of Canada, Guidance for Corporate Directors).