Target hackers should have been thwarted by routine malware maintenance

http://news.cnet.com/8301-1009_3-57620289-83/how-target-detected-hack-but-failed-to-act-bloomberg/

So this actually all happened before our course even started (November 2013). There was essentially a major data breach for Target customers, and it was later realized that many of them had saved credit card information registered to their Target accounts. This is a pretty standard measure for websites involved with online shopping because it optimizes checkout convenience, but obviously a major problem if your company’s mainframe is hacked. 

A recent update (this article) indicates that at least eight former employees had knowledge of the hack, and that despite the malware Target had set up to protect itself against this kind of predicament and various precautionary measures taken, hackers obviously succeeded in infiltrating the system regardless. In fact, it was stated by the director of threat intelligence operations at McAfee (presumably the programmer of this malware) that Target did not have a sufficient grasp of how to utilize the program, since a simple protective feature that would have thwarted the attack had been manually dismissed by Target due to a misconception regarding the use of that feature. 

In my opinion, this is disturbing on several levels. Firstly, whether or not you are prone to online shopping, websites on which you have registered an account have a record of your personal data that could be made available through hacking. Companies obviously take various security measures to increase consumer confidence in using the services they offer, but it remains largely up to the consumer to offer some incentive for a company to do this job properly. As long as Target’s consumer base doesn’t deplete in response to this hack (which it hasn’t in any substantial way) and no large-scale damages seem to have been reported that could ground a tort claim through the company’s negligence, there is no lasting ramification on this company despite its egregious error with respect to delicate customer information.

Can we really continue to argue that there should be no punitive or statutory implications for such cavalier treatment of personal information, particularly in light of the significant role these kinds of accounts in our society? I’m skeptical that this gray area in the law can continue for much longer when it already seems so impractical.