By: Andres F. Puerta
Over the last few years, numerous retailers, including Wal-Mart, Target, The Home Depot, and Neiman Marcus have been victims of major cyberattacks. In 2009, hackers broke into Wal-Mart’s computer system and stole information from cash registers, though the company did not release exactly what information the hackers stole. During the 2013 holiday season, Target experienced a cyberattack that resulted in hackers accessing personal information for about 110 million consumers. In 2014, The Home Depot endured five months of undetected cyberattacks, resulting in the theft of over sixty million credit card numbers of its patrons. Also in 2014, although hackers set off 60,000 security alerts that should have notified Neiman Marcus of questionable activity, staff members paid little attention, enabling the theft of customer credit card records for eight months.
Cyberattacks, which are “becoming both more brazen and more common,” are “deliberate attempts by unauthorized persons to access” information and communications technology (“ICT”) systems, usually with the goal of theft, disruption, damage, or other unlawful actions. Cybercriminals seek to obtain financial account information and other customer data that they can monetize. These criminals may target point-of-sale (“PoS”) systems, or customer databases to harvest user credentials, stored financial data, stored personally identifiable information (“PII”), and similar datasets. Cybercriminals may take advantage of busy holiday shopping seasons to compromise retailer payment systems and steal customer information at a time when the high volume of activity may help hide malicious network activity. Additionally, cybercriminals may increasingly target retailers that adopt new payment systems, seeking to take advantage of any previously undetected vulnerabilities or security flaws in these systems.
Customer data with retailers has been increasing at a rapid pace over the last decade. Access to this data has made the retail industry one of the primary targets for cyberattacks. Retailers face, on average, at least eight cyberattacks per year, with 74 percent of them considered advanced threats. According to the 2016 Global State of Information Security Survey by PwC, 81 percent of retail and consumer companies in North America detected at least one security incident since 2015. The financial losses from these security failures are significant, with retailers’ losses ranging from $100,000 to as much as $10 million. In 2016, BDO, an international network of public accounting, tax and advisory firms, released its “Retail Riskfactor Report.” According to the BDO report, a possible security breach is the biggest retail security risk, tied for the top spot with “general economic conditions.”
A security gap at a retailer “may lead to information leaks, which in turn can lead to increased cost, reduced revenue, and regulatory sanctions.” But financial losses are not the only adverse results of a cyberattack. In retail, reputational damage is also a concern, as the damage to reputation poses a serious threat to the continued success of a company. Mark Yourek, IBM’s Global Retail Solution Lead, stated that “[t]he financial and reputational damage that can be inflicted on a retailer by a major security breach can be so severe, and so destructive, as to approach the financial and reputational damage a commercial airline might suffer from a serious accident.”
Additionally, retailers may face both statutory and civil liability resulting from a cybersecurity breach. Lawmakers across the country are moving to put more of the liability for security breaches of consumer data onto retailers, including forcing them to pay back all of the costs related to a breach. Federal proposals would also require retailers to adhere to specific standards to secure the sensitive data that retailers maintain. On the civil side, retailers may face class action lawsuits from consumers, along with facing potential shareholder derivative suits for inappropriate handling of security breaches. Target, for example, faced over 40 class actions lawsuits before the end of December 2013.
With the rise of e-commerce and the move to storing data over digital platforms, retailers have encountered new challenges brought on by cybercrime. While the frequency and sophistication of cyberattacks on the retail industry are growing, retailers are increasingly faced with the reality that they do not fully understand where their customers’ data is travelling, and what their risks are. Although the threat of cyberattacks is serious, retailers have the opportunity to gain a competitive advantage by addressing consumers’ concerns and meeting their expectations for enhanced online security.
The frequency of cyberattacks has made the necessity of cybersecurity become more prevalent now than ever as retailers have fully embraced the move into the digital age. Cybersecurity has come to be known as the act of protecting ICT systems and their contents. Cybersecurity usually refers to one or more of three things: 1) a set of activities and other measures intended to protect—from attack, disruption, or other threats—computers, computer networks, related hardware and devices software and the information they contain and communicate, including software and data, as well as other elements of cyberspace; 2) the state or quality of being protected from such threats; and 3) the broad field of endeavor aimed at implementing and improving those activities and quality.
To protect their customer and themselves from liability, retailers must take steps to enhance their cybersecurity strategy in light of the present environment. First, retailers can adopt is a risk-based cybersecurity framework, in which retailers assess the company’s “cyber readiness” by identifying and prioritizing their vulnerabilities according to risk tolerance. The adoption of a “risk-based security framework” will also enable retailers to improve their ability to quickly detect and mitigate security breaches.
Retailers must also go beyond simply adopting a cybersecurity framework. For example, retailers must also protect the PoS system, which is the most common entry point for cybercriminals. This can be achieved by using EMV chip technology at cash registers along with building IT firewalls that isolate the PoS system from the broader business network. Retailers can also adopt cloud-based cybersecurity to better block attacks and accelerate their response to a breach. Lastly, retailers should provide security training for employees at all levels. Part of any cybersecurity strategy should be the education of employees not to click on unknown attachments or links and running scenario training events so that employees understand their roles in responding to cyberattacks.
The rise in cyberattacks, however, does leave room for a potentially lucrative business opportunity by those willing to get into the field. Out of nearly six million software-related professionals in the U.S., according to the Bureau of Labor Statistics, fewer than 89 thousand, or just 1.5%, are cybersecurity specialists. This demand should attract entrepreneurs and investors into cybersecurity ventures, as cybercrime is most certainly here to stay as it continues to evolve and becomes increasingly more complex.
Retailers must take a “better safe than sorry” approach towards cybersecurity. The world of business will continue to shift into the digital universe, exposing retailers to a constant barrage of cyberattacks from all angles. Retailers face financial losses, reputational damage, and statutory and civil liability if they do not take the issue of cybersecurity seriously and adopt measures to protect consumer information. In the digital age, increased cybersecurity budgets for retailers are simply the new cost of doing business.
 Benjamin Snyder, 5 Huge Cybersecurity Breaches at Companies You Know, Fortune (Oct. 3, 2014), http://fortune.com/2014/10/03/5-huge-cybersecurity-breaches-at-big-companies/.
 What are the Biggest Issues in Cyber Security in 2016?, The Huffington Post (Nov. 9, 2016), http://www.huffingtonpost.com/quora/what-are-the-biggest-issu_b_12885862.html.
 Eric A. Fischer, Cybersecurity Issues and Challenges: In Brief, Congressional Research Service (Aug. 12, 2016), https://fas.org/sgp/crs/misc/R43831.pdf.
 Cyber Threats to the Retail and Consumer Goods Industry, FireEye (last visited Mar. 3, 2017), https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/ib-retail-consumer.pdf.
 100% of Retailers Worried about Cybersecurity, Security Magazine (June 1, 2016), http://www.securitymagazine.com/articles/87167-of-retailers-worried-about-cybersecurity.
 Jennifer Ramstrom, Retailers’ Increased Cyber Security Budgets, CIO (Jan. 20, 2017), http://www.cio.com/article/3159638/security/retailers-increased-cyber-security-budgets.html.
 Douglas Bonderud, Retail Security Risks: 2016 Midyear Roundup, Security Intelligence (May 31, 2016), https://securityintelligence.com/retail-security-risks-2016-midyear-roundup/.
 Tom Schuurmans & Olaf Helmond, Cyber Security Challenges for Retailers, Deloitte (Mar. 24, 2016), https://www2.deloitte.com/nl/nl/pages/consumer-business/articles/cyber-security-challenges-for-retailers.html.
 Douglas Bonderud, Cyber Security Challenges: How do Retailers Protect the Bottom Line?, Security Intelligence (July 15, 2014), https://securityintelligence.com/cyber-security-challenges-how-do-retailers-protect-the-bottom-line/.
 Allison Grande, Retailers Take Brunt of Breach Liability Under New Bills, Law360 (May 30, 2014), https://www.law360.com/articles/540367/retailers-take-brunt-of-breach-liability-under-new-bills.
 Kimberleigh Dyess, Cybersecurity Failures and Resulting Liability Issues, Association of Corporate Counsel (Apr. 11, 2016), http://www.acc.com/legalresources/quickcounsel/cybersecurity.cfm.
 Schuurmans, supra note 16.
 Fischer, supra note 7.
 2016 BDO Retail Riskfactor Report, BDO United States (last visited Mar. 5, 2017), https://www.bdo.com/insights/industries/retail-consumer-products/2016-bdo-retail-riskfactor-report.
 Ramstrom, supra note 13.
 BDO United States, supra note 26.
 Ramstrom, supra note 13.
 Harriet Taylor, Biggest Cybersecurity Threats in 2016, CNBC (Dec. 28, 2015), http://www.cnbc.com/2015/12/28/biggest-cybersecurity-threats-in-2016.html.
 BDO United States, supra note 26.
 The Huffington Post, supra note 6.