Tag Archives: Target

California AG Takes Lead In Cybersecurity

Kamala HarrisData breaches at major retailers Target and Neiman Marcus during last year’s holiday shopping season affected more than 100 million people and focused new attention on the need to protect person information stored online.

While it’s clear that tough data breach legislation must be enacted, California Attorney General Kamala Harris is taking action to improve cybersecurity in the state before new laws are passed.  Today she released recommendations to California businesses to help protect against and respond to the increasing threat of malware, data breaches and other cyber risks.

In addition Harris is leading an investigation by state attorneys general into the Target and Neiman Marcus breaches, Don Thompson of The Associated Press reported:

Harris’ office also disclosed that California is leading a multistate investigation into the massive holiday season consumer data theft at discount retailer Target Corp. and luxury retailer Neiman Marcus, breaches that left tens of millions of customers at risk. More than 7 million Californians were affected by the Target breach alone, Special Assistant Attorney General for Law and Technology Jeff Rabkin said.

The U.S. Justice Department is taking the lead in trying to identify the culprits, who are suspected to be based overseas, while the multistate investigation focuses on whether the retailers share blame because they lacked the necessary precautions to prevent the thefts. The state investigation also will explore whether Target and Neiman Marcus acted properly as soon as they learned of the problem, Rabkin said in a telephone interview.

The guide, Cybersecurity in the Golden State, offers suggestions focused on small to mid-sized businesses, which are particularly vulnerable to cybercrime and often lack the resources to hire cybersecurity personnel. In 2012, 50 percent of all cyber attacks were aimed at businesses with fewer than 2,500 employees and 31 percent were aimed at those with less than 250 employees, Harris said.

Key recommendations for small business owners include:

  • Assume you are a target and develop an incident response plan now.
  • Review the data your business stores and shares with third parties including backup storage and cloud computing. Once you know what data you have and where it is, get rid of what is not necessary.
  • Encrypt the data you need to keep. Strong encryption technology is now commonly available for free, and it is easy to use.
  • Follow safe online practices such as regularly updating firewall and antivirus software on all devices, using strong passwords, avoiding downloading software from unknown sources and practicing safe online banking by only using a secure browser connection.

In 2003 California was the first state to pass a data breach notification.  In 2012 the law was amended to require any breach that involved more than 500 Californians be reported to the attorney general.

>The 170 breaches reported to the attorney general’s office in 2013 represent a 30 percent increase over the 131 identified the year before,  according to figures provided to The Associated Press. Among entities reporting breaches in 2012 were American Express Travel Related Services Co., Kaiser Permanente and several state government agencies, including the departments of Public Health and Social Services.

Given the current data breach laws Harris is taking meaningful action.  But, what’s ultimately needed is a law that would make her best practice recommendations legal mandates.  We need a California Financial Information Privacy Act that would:

  • Change breach notification standards to be immediate.
  • Set limits on the time data can be retained. And limits on what information can be collected and retained.
  • Write minimum-security standards into the law so that they are no longer voluntary.
  • Most importantly: create a private right of action. Put a price tag on retailers’ mistreatment of our private financial information.

John Simpson

Until there is a real price to pay, Target, Neiman Marcus and other retailers will continue to make us targets.


Posted by John M. Simpson, Consumer Watchdog’s Privacy Project Director.

Target Needs to Pay for Targeting Our Privacy

Target ShirtTarget is targeting our privacy. There’s a big red bullseye, a target – like the one on the shirt I’m wearing today – that Target and Neiman Marcus, who chose not to show up to answer questions today, have put on us because they haven’t done enough to protect our private financial data. And the reason is that there’s no financial incentive to do so.

110 million Americans had their personal financial information breached. That ‘s one out of two adult Americans. I was in Sacramento today to testify in front of a joint California Assembly committee hearing investigating the breach. And yet Target did not send a single representative to Sacramento today to answer questions about the largest data breach in American history?

The fact that Target didn’t show up today tells us all we need to know about how sorry Target is and how committed it is to our privacy.

If you are as offended by this as I am, I have a t-shirt for you to wear too.

The reason Target won’t face legislative questions today is the same reason that our personal financial information and data is at such grave risk: there is no price to pay. There are few financial penalties to companies like Target when our personal data is taken.  

Beyond public embarrassment, Target has little financial incentive to care.

We, the consumers, pay the consequences but we have no remedies.

According to the Committees’ own staff research, 1 in 4 consumers whose personal information that is taken becomes a victim of identity theft. 1 in 4 victims of a data breach is also a victim of identity theft. If these numbers apply to Target, that would potentially create more than 25 million identity theft victims.  

There’s a harm. The retailers had a role in creating that harm. And yet they have no liability under California law for what they have or have not done to safeguard the sanctity of our personal information.

The problem with privacy violations is that unlike thefts of money or property the law does not recognize a harm and does not provide a remedy.

As the Committees’ staff research states: consumers have no remedy under the law for the loss of financial privacy suffered through these data breaches, and the 1 in 4 risk of id theft they face.  Zero remedies.

Jamie CourtSo why would retailers invest in greater security, or meet voluntary industry standards, or move away from risky magnetic strip technology?  

If they don’t have to pay a price they don’t have an incentive to change.  And that leaves our private financial information with a big bullseye on it.

What can we do?

We need a California financial information act that mirrors our Medical Information Privacy Act.    

When there is a data breach of our medical information, the drug company, hospital or medical center is liable to the consumer for $1,000 per violation.  

Guess what?  Medical data breaches are fewer and farther between. When they occur companies pay a big price.

The same should be true for our financial data. We need a California Financial Information Privacy Act

It would:

  • Change notification standards to be immediate.
  • Write minimum-security standards into the law so that they are no longer voluntary.
  • Set limits on the time data can be retained. And limits on what information can be collected and retained
  • Most importantly: create a private right of action. Put a price tag on retailers’ mistreatment of our private financial information.

Until there is a price to pay, Target and other retailers will continue to make us targets.

If you are as offended as I am by Target’s absence today in Sacramento, please share our Target design online to show your displeasure.

When a company as big as Target won’t provide a single representative to answer questions about the largest data breach in American history, it is time for California to step up and deliver on the promise in Article 1 Section 1 of our state constitution: Privacy is an inalienable right.


Posted by Jamie Court, President of Consumer Watchdog.