Advisory firm wants majority of Target board members voted out over breach

Members of Target's audit and corporate responsibility committees should have done more, ISS says

A company that advises institutional shareholders on governance risk and proxy voting issues wants seven of Target's 10 board directors voted out over the massive data breach disclosed by the retailer last December.

In an alert released Tuesday evening, Institutional Shareholder Services (ISS) called on Target's major shareholders to vote against directors who are members of Target's Audit and Corporate Responsibility Committees at the company's shareholder meeting on June 11.

The two committees are responsible for overseeing and managing Target's risk assessment processes and reputational risk, ISS noted in its report. Specifically, the committees are tasked with periodic reviews and audits of Target's risk identification and assessment practices and for responding to and mitigating identified risks.

Members of both committees should have been more closely monitoring the possibility of data theft especially considering the amount of credit and debit card data that Target handles and the fact that it does online retailing, ISS wrote.

"What may be of concern to shareholders is the failure of these committees, and possibly by extension the full board, to recognize the potential threat faced by the company," ISS said.

The data breach showed that Target was inadequately prepared for the risks of doing business in today's e-commerce environment. "It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach," and subsequent losses.

In addition to recommending the ouster of board members, ISS also called on shareholders to vote for a separation of the chairman and CEO roles to improve oversight and management of operational and reputational risks.

A Target spokesman did not respond specifically to a request for comment on ISS' recommendations, but noted that the company's board views security as a shared responsibility.

"This oversight occurs as a continuous part of the Board's review of Target's strategy and specific initiatives that support the strategy," the spokesman said in emailed comments. "With respect to information security matters, the Board believes that Target was among the best-in-class within the retail industry -- we had made significant investments in data security, and had been certified to be PCI-DSS compliant."

Regarding the proposal for an independent chairman, Target prefers to maintain flexibility to determine which leadership structure best serves the interests of Target based on the circumstances, the company noted. "The Board believes that there are many strong governance practices in place at Target that balance any risk of concentration of authority that may exist with a combined Chair/CEO position."

In discussions with ISS since the breach, Target acknowledged the need for better internal processes for identifying potential risks and for putting less reliance on external risk reports that suggested the company's systems were robust enough prior to the breach, ISS wrote. Following the breach, Target has also identified the need for a chief information security officer and a chief compliance officer.

"The addition of these "new" positions raises serious concern about how Target could have been running a business of its size and complexity without these permanent roles," ISS said while also dismissing some of the steps the company has taken since the breach as "reactionary."

Target in December disclosed that unknown hackers had broken into its systems last fall and accessed credit, debit card and other data belonging to more than 100 million customers.

Since then, the company has quickly become a textbook example of the consequences a company can face in the wake of a major data breach.

Target's stock price has declined by more than 10% since the breach disclosure, reflecting a $4.2 billion loss in market value between December and May, ISS said. The company has already spent more than $80 million on breach-related expenses, such as breach investigation and remediation, credit-monitoring services for affected customers and legal and other fees.

If the experience of companies such as TJX and Heartland Payment Services are any indication, it could end up spending tens or even hundreds of millions of dollars more in breach-related costs. Already, more than 80 lawsuits have been filed against the company over the data breach.

The breach has also prompted executive changes at the highest level. In March, Target CIO Beth Jacobs resigned from the company over the data exposure. Earlier this month, the company announced that president and CEO Gregg Steinhafel was stepping down.

Not all of the changes are solely breach-related. Many analysts believe that Steinhafel's departure for instance, was likely prompted by Target's botched expansion attempt in Canada over the past two years. The same reason is likely to have contributed to the company's lower stock price, but there's little doubt that the breach has played a major role in the company's woes.

This article, Advisory firm wants majority of Target board members voted out over breach, was originally published at

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about retail in Computerworld's Retail Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetmanagementretaildata securityNetworkingsecurityindustry verticalsdata protection

More about ISS GroupTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place