Cross-Border Cybercrime and the Cybersecurity Wars

The Home Depot data breach may be the largest in the U.S. yet, affecting not only millions of customers in the U.S., but also shoppers at its 180 stores in Canada. Home Depot said customers who shopped at its U.S. and Canadian stores as far back as April were exposed, meaning the breach extended for more than four months including the busy summer season. That is far longer than the three-week Target breach.

The largest U.S. home improvement chain says it has not found evidence that debit card PINs were compromised, nor that online customers or shoppers at stores in Mexico are affected. The company did not say how many cards might be affected, but did say that customers will not be held responsible for fraudulent charges to their accounts. Experts fear the attackers may have gotten away with data from more than 40 million payment cards.

International Breaches

The breach raises questions about how a cross-border incident can affect a company.

Cyberexperts suggest that an international breach can complicate a company's response.

Joan Stafslien, general counsel for CareFusion Corp., an S&P 500 medical technology company, told e-Commerce Law & Strategy's ALM sibling, CorpCounsel.com, that a cross-border breach would raise two key issues: “What are the legal implications in Canada, such as what legal obligations must be met, such as notification of customers; and what are the business implications, which may be bigger than the legal ones? What damage does the breach do to your brand?”

Stafslien, a chemical engineer before she became a lawyer and who was scheduled to speak about cybersecurity issues at DLA Piper's third Global Women's Leadership Summit in Chicago at the end of September, says: “It's na've for anybody to think they have 100% secure systems. You need to work very closely with an IT forensic team. You need folks who look at it more from a perspective that there are people out there trying to harm your company, and can you identify them before harm is done. That's the trick ' having good people.”

Another lawyer and cybersecurity expert, who asked not to be named because his law firm has worked with Home Depot in the past, says Home Depot would need to look at the law in the different provinces in Canada where it has stores to determine any legal implications.

He says the retailer would have to decide whether to extend the same kind of notification and assurances, such as credit monitoring, to customers in Canada as it does to customers in the U.S. “And that may be a business decision as much as a legal one,” he added. (Home Depot's spokeswoman Paula Drake told CorpCounsel.com that the company is offering free identity protection services to all customers in the U.S. or Canada who used a credit card in any store.)

“This is just another instance of why it's important for corporate counsel to be involved in cyberrisk management,” the lawyer noted. “How to manage the response and the recovery is the kind of planning that corporate counsel can be doing today [before any breach]. It's important to get ahead of the curve.”

Home Depot's Response

The Home Depot has 2,266 retail stores in all 50 states, the District of Columbia, Puerto Rico, U.S. Virgin Islands, Guam, Mexico and 10 Canadian provinces. In fiscal 2013, the company reported sales of $78.8 billion and earnings of $5.4 billion.

CEO Frank Blake addressed the breach in a statement on Sept. 8: “We now have enough evidence to confirm that a breach has indeed occurred. It is important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”

The statement said the investigation began Sept. 2, “immediately after the company received reports from its banking partners and law enforcement that criminals may have hacked its payment data systems.”

The company has not yet placed a figure on the number of customers whose credit card data may have been stolen, but experts suggested it could far exceed the 40 million cardholders affected by a breach at Target Corp. last Christmas season.

The statement said the breach could have affected all Home Depot customers from early April until it was detected in early September.

At least one security expert was critical of the length of time that hackers were messing with the retailer's computers. “Honestly, Home Depot is in trouble here,” Eric Cowperthwaite, vice president of Core Security, an Internet-security consulting company, told The New York Times. See, “Home Depot Data Breach Could Be the Largest Yet,” NY Times. He noted that a security blogger, not the company, first reported the breach.

“This is not how you handle a significant security breach, nor will it provide any sort of confidence that Home Depot can solve the problem going forward,” Cowperthwaite told The Times.

The Times story added that customers in Georgia filed a class action lawsuit against Home Depot for failing to protect customers from fraud and not alerting them to the breach in a timely manner.

On a broader note, the Retail Industry Leaders Association (RILA) issued a statement calling for more cooperation between the public and private sectors to combat retail cyberattacks.

Among other actions, the group is part of the Merchant-Financial Services Cybersecurity Partnership. The partnership, a collection of 19 associations, is bringing together government and industry leaders to explore cybersecurity challenges facing the retail and finance community, and to discuss possible legislative and regulatory actions to improve protections.

Elsewhere, the Association of Corporate Counsel (ACC) also has scheduled sessions for in-house lawyers on compliance and cross-border data protection at its 2014 ACC annual meeting, being held Oct. 28-31 in New Orleans.

Multistate Probe

The attorneys general of Connecticut, Illinois and California are leading a multi-state probe into the Home Depot data breach, according to a spokeswoman for Connecticut Attorney General George Jepsen.

“We have had initial contact with the company,” Jaclyn Falkowski, director of communications for Jepsen, told the Reuters news service. “We would decline any further comment at this time.”

Meanwhile, U.S. senators Richard Blumenthal (D-CT) and Edward Markey (D-MA) have called on the Federal Trade Commission (FTC) to investigate. “If Home Depot failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects such information,” the senators said in a statement. “Such conduct is potentially unfair and deceptive, and therefore could violate the FTC Act.”

The Battle Against Cybersecurity

As the news from Home Depot makes clear, general counsel should already have cybersecurity at the top of their list of major concerns.

Several general counsel who appeared on a panel about cybersecurity last month cosponsored by Major, Lindsey & Africa and Dykema spoke with CorpCounsel.com about a GC's role in protecting the company. See, “Protect and Defend: Why Cybersecurity Matters and What You Can Do to Guard Against Data Breach Risks.”

The ironically named Mark Hacker, senior vice president and general counsel of Motorola Solutions, says major data breaches no longer surprise him: “I think any company who thinks they are not under attack right now is wrong. Every company is under attack. The question is, do they have a robust enough way to stop those attacks from getting through and a way to mitigate the attacks when they happen?”

Hacker says his company experiences attacks every day, and most are detected by a network perimeter system and stopped before they can do any damage. “Make sure you have a robust network monitoring process that is continually updated,” Hacker advises. “You can't get comfortable, you can't just check the box; you've got to have someone waking up every day and making sure you are evolving as attacks evolve.”

Alice Geene, chief legal officer at the restaurant marketing company Rewards Network, also is responsible for information security at her firm. It's a good fit for her because she was formerly general counsel of Chicago cybersecurity company Trustwave Holdings.

Cybersecurity is a hot topic right now, Geene says, because of all the recent data breaches that have hit the news, including the breach at Target. The Home Depot breach only adds to the substantial pile of major companies that have been hacked.

“In security, the experienced practitioners understand that there is no way to engineer 100 percent of risk out of a system,” Geene says. “So you need to identify areas of greatest threats and take steps to prevent those breaches.”

She says corporate data security reaches well beyond the IT department. And GCs need to be up to speed with the new set of cyberguides and other information issued by the National Institute of Standards and Technology (NIST), the federal agency that promotes standards and technology to enhance economic security.

In February, NIST launched its Framework for Improving Critical Infrastructure Cybersecurity. It consists of standards, guidelines and practices to promote the protection of critical infrastructure. “The prioritized, flexible, repeatable and cost-effective approach of the Framework helps owners and operators of critical infrastructure manage cybersecurity-related risk,” according to NIST.

Attorney Jonathan Feld, who handles cyberbreach litigation at Dykema Gossett, says GCs need to establish a protocol in advance of any breach, outlining what steps to take and in what order. Feld says the plan should spell out the first things to do in case of a breach, “such as whom to contact, what to preserve either for the government or for private litigation later, and what notification requirements apply.”

The potential cost of a data breach can be staggering, Feld says. “From the actual cost of the breach, to litigation over the breach, to the loss of confidence by customers,” all underscore why security is critical, he explains.

Attorney Michael Sachs, a partner at Major, Lindsey & Africa and a former in-house counsel for NBC Universal, agrees that cybersecurity has become a critical issue for general counsel. “If your company has a strong brand reputation, a security breach could mean a colossal loss,” says Sachs, a member of his firm's in-house practice group in Chicago.

Sue Reisinger writes for Corporate Counsel, an ALM sibling publication of e-Commerce Law & Strategy. Reports from ALM sibling The Connecticut Law Tribune staff and wire services also contributed to this article.

The Home Depot data breach may be the largest in the U.S. yet, affecting not only millions of customers in the U.S., but also shoppers at its 180 stores in Canada. Home Depot said customers who shopped at its U.S. and Canadian stores as far back as April were exposed, meaning the breach extended for more than four months including the busy summer season. That is far longer than the three-week Target breach.

The largest U.S. home improvement chain says it has not found evidence that debit card PINs were compromised, nor that online customers or shoppers at stores in Mexico are affected. The company did not say how many cards might be affected, but did say that customers will not be held responsible for fraudulent charges to their accounts. Experts fear the attackers may have gotten away with data from more than 40 million payment cards.

International Breaches

The breach raises questions about how a cross-border incident can affect a company.

Cyberexperts suggest that an international breach can complicate a company's response.

Joan Stafslien, general counsel for CareFusion Corp., an S&P 500 medical technology company, told e-Commerce Law & Strategy's ALM sibling, CorpCounsel.com, that a cross-border breach would raise two key issues: “What are the legal implications in Canada, such as what legal obligations must be met, such as notification of customers; and what are the business implications, which may be bigger than the legal ones? What damage does the breach do to your brand?”

Stafslien, a chemical engineer before she became a lawyer and who was scheduled to speak about cybersecurity issues at DLA Piper's third Global Women's Leadership Summit in Chicago at the end of September, says: “It's na've for anybody to think they have 100% secure systems. You need to work very closely with an IT forensic team. You need folks who look at it more from a perspective that there are people out there trying to harm your company, and can you identify them before harm is done. That's the trick ' having good people.”

Another lawyer and cybersecurity expert, who asked not to be named because his law firm has worked with Home Depot in the past, says Home Depot would need to look at the law in the different provinces in Canada where it has stores to determine any legal implications.

He says the retailer would have to decide whether to extend the same kind of notification and assurances, such as credit monitoring, to customers in Canada as it does to customers in the U.S. “And that may be a business decision as much as a legal one,” he added. (Home Depot's spokeswoman Paula Drake told CorpCounsel.com that the company is offering free identity protection services to all customers in the U.S. or Canada who used a credit card in any store.)

“This is just another instance of why it's important for corporate counsel to be involved in cyberrisk management,” the lawyer noted. “How to manage the response and the recovery is the kind of planning that corporate counsel can be doing today [before any breach]. It's important to get ahead of the curve.”

Home Depot's Response

The Home Depot has 2,266 retail stores in all 50 states, the District of Columbia, Puerto Rico, U.S. Virgin Islands, Guam, Mexico and 10 Canadian provinces. In fiscal 2013, the company reported sales of $78.8 billion and earnings of $5.4 billion.

CEO Frank Blake addressed the breach in a statement on Sept. 8: “We now have enough evidence to confirm that a breach has indeed occurred. It is important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”

The statement said the investigation began Sept. 2, “immediately after the company received reports from its banking partners and law enforcement that criminals may have hacked its payment data systems.”

The company has not yet placed a figure on the number of customers whose credit card data may have been stolen, but experts suggested it could far exceed the 40 million cardholders affected by a breach at Target Corp. last Christmas season.

The statement said the breach could have affected all Home Depot customers from early April until it was detected in early September.

At least one security expert was critical of the length of time that hackers were messing with the retailer's computers. “Honestly, Home Depot is in trouble here,” Eric Cowperthwaite, vice president of Core Security, an Internet-security consulting company, told The New York Times. See, “Home Depot Data Breach Could Be the Largest Yet,” NY Times. He noted that a security blogger, not the company, first reported the breach.

“This is not how you handle a significant security breach, nor will it provide any sort of confidence that Home Depot can solve the problem going forward,” Cowperthwaite told The Times.

The Times story added that customers in Georgia filed a class action lawsuit against Home Depot for failing to protect customers from fraud and not alerting them to the breach in a timely manner.

On a broader note, the Retail Industry Leaders Association (RILA) issued a statement calling for more cooperation between the public and private sectors to combat retail cyberattacks.

Among other actions, the group is part of the Merchant-Financial Services Cybersecurity Partnership. The partnership, a collection of 19 associations, is bringing together government and industry leaders to explore cybersecurity challenges facing the retail and finance community, and to discuss possible legislative and regulatory actions to improve protections.

Elsewhere, the Association of Corporate Counsel (ACC) also has scheduled sessions for in-house lawyers on compliance and cross-border data protection at its 2014 ACC annual meeting, being held Oct. 28-31 in New Orleans.

Multistate Probe

The attorneys general of Connecticut, Illinois and California are leading a multi-state probe into the Home Depot data breach, according to a spokeswoman for Connecticut Attorney General George Jepsen.

“We have had initial contact with the company,” Jaclyn Falkowski, director of communications for Jepsen, told the Reuters news service. “We would decline any further comment at this time.”

Meanwhile, U.S. senators Richard Blumenthal (D-CT) and Edward Markey (D-MA) have called on the Federal Trade Commission (FTC) to investigate. “If Home Depot failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects such information,” the senators said in a statement. “Such conduct is potentially unfair and deceptive, and therefore could violate the FTC Act.”

The Battle Against Cybersecurity

As the news from Home Depot makes clear, general counsel should already have cybersecurity at the top of their list of major concerns.

Several general counsel who appeared on a panel about cybersecurity last month cosponsored by Major, Lindsey & Africa and Dykema spoke with CorpCounsel.com about a GC's role in protecting the company. See, “Protect and Defend: Why Cybersecurity Matters and What You Can Do to Guard Against Data Breach Risks.”

The ironically named Mark Hacker, senior vice president and general counsel of Motorola Solutions, says major data breaches no longer surprise him: “I think any company who thinks they are not under attack right now is wrong. Every company is under attack. The question is, do they have a robust enough way to stop those attacks from getting through and a way to mitigate the attacks when they happen?”

Hacker says his company experiences attacks every day, and most are detected by a network perimeter system and stopped before they can do any damage. “Make sure you have a robust network monitoring process that is continually updated,” Hacker advises. “You can't get comfortable, you can't just check the box; you've got to have someone waking up every day and making sure you are evolving as attacks evolve.”

Alice Geene, chief legal officer at the restaurant marketing company Rewards Network, also is responsible for information security at her firm. It's a good fit for her because she was formerly general counsel of Chicago cybersecurity company Trustwave Holdings.

Cybersecurity is a hot topic right now, Geene says, because of all the recent data breaches that have hit the news, including the breach at Target. The Home Depot breach only adds to the substantial pile of major companies that have been hacked.

“In security, the experienced practitioners understand that there is no way to engineer 100 percent of risk out of a system,” Geene says. “So you need to identify areas of greatest threats and take steps to prevent those breaches.”

She says corporate data security reaches well beyond the IT department. And GCs need to be up to speed with the new set of cyberguides and other information issued by the National Institute of Standards and Technology (NIST), the federal agency that promotes standards and technology to enhance economic security.

In February, NIST launched its Framework for Improving Critical Infrastructure Cybersecurity. It consists of standards, guidelines and practices to promote the protection of critical infrastructure. “The prioritized, flexible, repeatable and cost-effective approach of the Framework helps owners and operators of critical infrastructure manage cybersecurity-related risk,” according to NIST.

Attorney Jonathan Feld, who handles cyberbreach litigation at Dykema Gossett, says GCs need to establish a protocol in advance of any breach, outlining what steps to take and in what order. Feld says the plan should spell out the first things to do in case of a breach, “such as whom to contact, what to preserve either for the government or for private litigation later, and what notification requirements apply.”

The potential cost of a data breach can be staggering, Feld says. “From the actual cost of the breach, to litigation over the breach, to the loss of confidence by customers,” all underscore why security is critical, he explains.

Attorney Michael Sachs, a partner at Major, Lindsey & Africa and a former in-house counsel for NBC Universal, agrees that cybersecurity has become a critical issue for general counsel. “If your company has a strong brand reputation, a security breach could mean a colossal loss,” says Sachs, a member of his firm's in-house practice group in Chicago.

Sue Reisinger writes for Corporate Counsel, an ALM sibling publication of e-Commerce Law & Strategy. Reports from ALM sibling The Connecticut Law Tribune staff and wire services also contributed to this article.