Reputation Risk Fallout Never Ends. Just Ask Target.

Did you ever make a mistake you couldn’t live down? Maybe your friends and family tease you about it good-naturedly when you get together. Or maybe it was a more serious infraction and you became a cautionary tale.

That’s exactly where Target is nearly four years after its data breach in 2013. You probably remember it as the one that affected 41 million customer payment card accounts and exposed contact information for more than 60 million customers. It happened when hackers got into Target’s system through a third-party HVAC vendor and installed malware at point-of-sale registers.

Not only is Target still held up as the standard example of third-party vendor management gone wrong in every single data security article you’ve read, but now it’s back in consumer headlines as the New York attorney general announced that 47 states and the District of Columbia reached an $18.5 million settlement with the retail giant over the breach. The settlement also requires Target to implement a data security program, which it’s already done.

Mandatory elements include:

  • developing, implementing, and maintaining a comprehensive information security program.
  • employing an executive or officer who is responsible for executing the plan.
  • hiring an independent, qualified third-party to conduct a comprehensive security assessment.
  • maintaining and supporting software on its network.
  • maintaining appropriate encryption policies, particularly as pertains to cardholder and personal information data.
  • segmenting its cardholder data from the rest of its computer network.
  • undertaking steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

Talk about a news story that just won’t go away. Target has apologized to customers. It’s testified before Congress. It’s improved its data security and paid a fine. Yet almost four years later, and it’s still making headlines.

That’s why it’s critically important to protect your reputation and assess and mitigate all risks to it, including third-party vendors. When customers and the media talk about your institution, you want it to be for the positive reasons.

Don’t let a mistake cast a shadow over your brand. People are slow to forget.