The Target and the MCCCD security breach compared
Target’s CEO has become the first boss of a major corporation to lose his job over a breach of customer data, showing how responsibility for computer security now reaches right to the top. —- Associated Press
It’s a new era for boards to take a proactive role in understanding what the risks are. —- Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin.
The Target and MCCCD represent two contrasting approaches on how to handle a security breach. There are striking similarities on what took place and significant difference on how the companies handled the situation.
So far, the Target Board of Directors has looked at risks and taken action to protect their company. They have chosen transparency and a clean slate as they move forward. In contrast, the MCCCD Governing Board has taken no action. It has surrounded itself with lawyers. It is breaking several AZ laws according to current lawsuits, keeping the top of the organization intact, blaming employees and stonewalling everyone. Which company would you want to work for? Which company has a better chance to survive?
Here is what they have in common:
- They both had a CEO and CIO (Chancellor and Vice-Chancellor of IT) responsible for the organization
- They both impacted millions of people and disclosed a huge pre-Christmas breach
- The Target CEO and the MCCCD Chancellor have been with the organization for nearly 30 years
- They are both being sued (MCCCD now faces 2 class actions lawsuits at over $6 billion)
- They will both be spending millions in lawyers to defend themselves
- They are both losing money (one in terms of stock, the other in terms of enrollment, down 8% at MCCCD)
- Both organizations faced unprecedented challenges.
Here are a few of the differences:
- Target notified the public almost immediately. MCCCD delayed notification 7 months.
- Target’s breach was a flaw in their security systems. MCCCD had known for years about their flaws and did nothing.
- Target fired their CIO in March 2014, while MCCCD has chosen to keep their CIO somewhere in the system.
- Target hired a highly qualified interim CIO, while MCCCD has chosen to use two Co-CIOs with limited Enterprise experience.
- The Target IT department remains largely intact. The MCCCD IT department has lost nearly 50% of the staff and almost all institutional knowledge.
- The Target Board appears to be united. The MCCCD Board is divided and does not trust their legal counsel.
- The Target Board of Directors decided to get involved. The MCCCD Governing Board is sitting idle with a few exceptions.
- The Target Board of Directors decided is the right time for new leadership. The MCCCD Governing Board has done nothing.
- The Target’s Board of Directors said Steinhafel “held himself personally accountable” for the breach, one of the largest on record at a retailer. That is not the case for MCCCD where employee are being scapegoated.
- The Target Board of Director’s fired their CEO. MCCCD Governing Board is supporting their Chancellor and his Administration.
Neither of these two companies have handled the situation correctly. The Target Board of Directors is at least making changes at the top and holding those in senior leadership positions accountable and responsible.
The approach MCCCD has taken so far is simple, blame the incident on innocent IT employees who warned the organization, hire lots of lawyers to protect the Administration and do not hold the Chancellor and Vice-Chancellor of IT accountable. An 8% decline in enrollment translate to millions of dollars. Several multi-billion dollars lawsuits will likely bankrupt the system. A 50% attrition in IT personnel due to hostility and mismanagement practices leaves the organization at even greater risks. Stonewalling and scapegoating employees makes enemies not allies. Raising tuition and property taxes puts both the students and the community against you.
Which approach do you think will appease the masses and allow the organization to move forward?
Who is the MCCCD Governing Board serving?
Here are a few resources on the Target breach. As you read these articles, compare Target to MCCCD. There are many similarities and many differences.
3 TV – AZ Family
Target’s CEO is out in wake of big security breach
Target CEO out in the wake of breach