In a recent article concerning the Target data breach, it was reported that the hackers used stolen credentials from one of Target's third party vendors to gain access to Target's systems.1 New information just released indicates that the third party was not a technology service provider, but rather an HVAC company (heating, ventilation, and air conditioning).2 While it may be surprising to the average consumer that an HVAC provider was given network access to Target's systems, there may be a reasonable explanations for this. 

While investigations are still underway, it is interesting to consider the possibility of whether the legal liability spotlight could shift from Target to the vendor and what, if anything, could have been done by Target to mitigate legal risk before the breach occurred.  Some strategies include the following:

  • Only provide network access that is necessary to accomplish the discreet task needing to be performed by the provider
  • Once the discreet task is performed, remove the network access
  • To the extent possible, provide technical limits to the type of data accessed, and monitor access
  • Transfer legal risk to the third party provider by written contract
  • Follow internal policies and procedures as well as external audit frameworks concerning best I.T. governance practices such as requiring password complexity, disabling system accounts, and separation of roles and responsibilities

Even companies that are not in the retail industry may put themselves at risk by allowing third-party access to their systems. Regardless of the industry, organizations that are in possession of sensitive personal information may be able to learn lessons from the Target data breach case.

Footnotes

1. Available at http://www.latimes.com/business/money/la-fi-mo-target-data-breach-vendor-20140129,0,8026.story#axzz2s14ODPPO (last visited January 31, 2014).

2. Available at http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ (last visited February 5, 2014).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.