The attacks, which originated in Europe and China, targeted major corporations and government agencies including pharmaceutical giants Merck & Co. and Cardinal Health.  The operation has affected some 75,000 computers in 196 countries.

Now is the time to examine your company’s business practices to make sure that your critical data and intellectual property are safe from complex electronic and socially initiated thefts.  Lapses in appropriate security measures can expose your company to major financial losses, both from theft and from civil lawsuits filed on behalf of clients or customers affected by the breach.

To protect your company and your shareholders from such losses or litigation, your company’s security practices must be up to date and in compliance with state and federal regulations.  Your IT security practices should also be part of your overall corporate governance, led by your general counsel so that this information is protected by attorney client privilege.

Information Defense Corporation and Interfor Inc. a leading global due diligence and investigations firm are partnered to offer our clients unique and comprehensive security solutions.  From physical security, asset recovery and crisis management to risk based and technical assessments of electronic assets and controls, the team is positioned to work with your company’s legal and combined security personnel to keep your assets, personnel, intellectual property and trade secrets safe or to help restore the integrity of your operations with incident response and forensics and other measures following a security breach.

For more information on the services offered by our team effort please use our contact pages here:  Contact Us

Essentially it goes like this.  In 2004 BJ’s Wholesale Club’s ineffective information risk management lead them to first, store customer credit card data that they should not have been storing, and secondly not provide even a modicum of security around it.  Apparently the data was stored unencrypted, with default passwords, and limited or no monitoring.  All of which allowed the customer credit card data to be stolen.

BJ’s settled charges with the FTC “that it failed to provide adequate security for its customer data” in 2005.  BJ’s also recorded $10 million in related costs.  In addition to the $10 million, under terms of the settlement BJ’s will implement a comprehensive information security program and be subject to third-party audits every other year for the next two decades.

PSECU, a card issuer who suffered $100,000 loss reissuing suing cards to its effected members, sued BJ’s and Fifth Third Bank in 2005. The credit union lost at the district court.  The new ruling reverses the district court ruling and will allow Pennsylvania State Employees to continue with their case against BJ’s and Fifth Third Bank.  The ruling found that even though the credit union was not a direct party to the contracts between VISA, BJ’s, and Fifth Third, it has third party beneficiary rights.

I can understand PSECU suing BJ’s.  After all it was BJ’s inadequate security that led directly to PSECU’s loss.  However PSECU is claiming 5/3 bore some responsibility for inadequately training BJ’s staff.  It is completely beyond me why this is 5/3rds responsibility.  Nevertheless, this ruling could have far reaching consequences in the payment card industry by effectively making card processors responsible for the sins of their merchants.  It could possibly lead to changes in the PCI-DSS standards, to processor-required training programs, have insurance impacts, or even force processors into effectively “policing” the PCI compliance and information risk management practices of their merchants.

It will be interesting to see how the suit finally turns out.