For years, big institutions were able to dodge responsibility for data breaches. There was no clear way of establishing causal connections between the exposure, the actual theft of data, and the criminal act of using of the stolen identities.
Not true of recent high-profile retail point-of-sale breaches. The breaches are primarily discovered by financial institutions that issue credit cards. With a high degree of accuracy, they’re able to link fraud on stolen accounts to the leaky retail systems where theft occurred.
Now, a fascinating walk down Liability Lane, as we explore two cases. The “freaky-fast” sandwich shop Jimmy John’s, and Home Depot have both been hit by point-of-purchase system attacks. At minimum, the two companies might be accused of failure to perform due diligence of various kinds. But beneath the surface, there are astonishing details for curious litigators.
In the case of Jimmy John’s, a vendor sold an obsolete system into some of the stores, and the same vendor hired a discredited contractor to audit the system’s compliance with the Payment Card Industry Standards (PCI).
Habeas Hard Drive suggests that Jimmy John’s may have failed to request certain critical documentation from Signature Systems, the vendor that provided the credit card processing and point-of-sale system. Much as a construction contractor is licensed by the state, Signature Systems is approved by the PCI Standards Council to provide service to retailers. That means Signature Systems should have offered up, or Jimmy John’s should have demanded a certificate to ensure the system and its software were compliant. They were not, and nobody discovered it.
At the same time, perhaps Jimmy John’s should have been able to rely on Signature Systems to vet the subcontractor that performed the audit of the system. That audit was done by a now-defunct company called Chief Security Officers, which, notably, is the only firm ever to be decertified by PCI, according to journalist Brian Krebs, who did the initial reporting on these details.
It’s clear that everyone involved bears part of the responsibility. All players involved in payment card transactions are obligated to understand and play by PCI rules, including the retailer.
Meanwhile, a head-scratching failure of due diligence at big-box home improvement store Home Depot, where the company’s chief architect of information security was convicted earlier this year of illegal entry to a former employer’s network, and of sabotaging critical systems. That’s not all — the employee’s record of cybercrime dated back to his high school days, when he infected his school’s computer systems with viruses, and wrote on his personal website, “I love to write and distribute viruses.” This, according to a report by Ars Technica (linked above).
Habeas Hard Drive wonders how these facts failed to come to light, given mandatory background checks required by most big companies before they hire. Is this an outsourced HR function for Home Depot? Notwithstanding privacy protocol, were the background checkers precluded from discovering criminal misconduct?
Home Depot’s other security missteps have been well-covered, and went beyond hiring a guy with a murky background. The company apparently failed to perform even the most fundamental security procedures, such as upgrading its years-old anti-virus program, and regularly scanning its network. Scans are another PCI requirement, and would have detected openings on the network that allow intrusions.
Additionally, proper security architecture could have flagged suspicious activity on a network dedicated to payment card transactions, but Habeas Hard Drive supposes the chief architect may have been distracted by his impending criminal prosecution.
Upper management allegedly expressed repeated indifference to blaring security needs. Former employees claim that when they argued for security improvements, management closed the door, responding, “We sell hammers.”
There are indications Home Depot began to get serious about tightening its systems after last year’s Target breach, but the malicious activity on Home Depot systems was long-since underway by the time a security regimen could be put in place.
Litigators involved in data breach cases should ask the same questions that apply to any personal injury case. Uncovering evidence requires curiosity about peripheral players, and the relationships they have to primary parties. Digital evidence is uncovered the same way physical evidence is uncovered, and when it’s not clear where to look, there is expert help available to point the way.