Litigation Over Retail Malware Attack – New Liability and New Solutions
It’s happened again.
Another malware related breach that has impacted a company’s finances and reputation. This time it’s led to a lawsuit, not the first and certainly not the last.
In this case, Noodles & Company, a fast-casual restaurant based in Colorado with locations across the US, has been sued in a class-action motion by banks and other financial institutions. The lawsuit should serve as a wake-up call, both to retailers of all kinds and also to the financial sector that supports retailing.
Noodles & Company suffered a malware breach on January 2, 2016, that compromised POS devices at 322 locations countrywide. The malware proceeded to run undetected for approximately 19 weeks before the credit card processor notified the company about the unusual activity that was observed. The subsequent investigation and response took about two weeks to complete and wrapped up on or around June 2, 2016.
A critical element of the lawsuit centers around the length of time that Noodle & Company allowed malware to persist undetected – the 19 weeks. The argument made in the suit is that the volume of data stolen was needlessly large – much greater than it should have been, had the company been monitoring their systems properly. Because the company lacked sufficient monitoring capabilities to identify and address malware breaches, this 19-week window occurred leading to undue damages. This window of time, between malware breaching corporate defenses and ultimately being detected, is known as the breach detection gap – or dwell time.
What’s interesting in this case, and a telling sign of where things are moving is that the lawsuit is based on the premise that the failure to appropriately adopt capabilities to detect malware that has breached defenses and persists undetected can be identified as a negligent act. This premise is being tested in US courts through this case.
Should the case be successful, there will be a legal precedent that organizations must take steps to proactively seek out malware that has infected their infrastructures or suffer legal and financial consequences.
The damages claimed against Noodles & Company are severe and some are ongoing without defined limits. The damage claims include:
- Costs associated with canceling and reissuing credit/debit cards used over the breach detection gap period – including the reissuing of all known compromised cards
- Costs with closing/opening Noodle & Company accounts, including stopping payments and blocking transactions
- Costs associated with refunding unauthorized charges to cardholders who used their cards at Noodle & Company locations over the breach detection gap and remediation period
- Costs associated with increased volume of cardholder complaints, confusion, and concerns
- Costs associated with increased fraud monitoring efforts
- Loss of revenue as a result of decreased card usage after the breach was disclosed to the public
Time will tell where the case leads, it may be settled out of court and so avoid becoming part of legal jurisprudence. However, it is clear that the expectations of partners in business are evolving to include a baseline where companies will be expected to police their breach detection gap assiduously. These expectations will soon become part of the normal business process, and will also permeate the expectations of the public at large.
Defining and Managing Your Breach Detection Gap
Today’s reality is that the systems that run our businesses, governments, and services are under constant threat. Enterprises must accept a new default security context – malware will breach defenses. It does not matter what defenses are in place or how much you have invested in them, it is simply a matter of time before malware of one sort or another finds its way in.
To mitigate the risks of being named in a similar class-action suit, enterprises need to adapt their risk management strategies and learn how to define and manage their breach detection gap, as well as put technology in place to hunt for malware and threats.
Companies need to ask themselves “How many days can I go blind?” How many minutes, hours or days is reasonable for a set of functional endpoints to be compromised with active or dormant threats?
Each enterprise will have its own acceptable risk for all business operations. Determining what constitutes acceptable risk now requires enterprises to define a reasonable period of time that malware can be allowed to persist once it has breached defenses.
Organizations also must be able to demonstrate with documented proof that they have not been compromised beyond that defined gap. To do so they must adopt the capability to proactively look for malware that has breached defenses and is undetected.
This approach will become the new standard for cyber risk management.