Target’s data theft leaves CEOs everywhere on the hot seat
NEW YORK — Chief executives beware: Data breaches can now cost you your job.
On Monday, Target Corp. ousted CEO Gregg Steinhafel following a hacker attack that compromised the personal data of millions of shoppers during the holiday season. His main error was to move too slowly in shoring up the chain's defenses even after being warned that point-of-sale terminals were vulnerable to cyber criminals.
Since revelations that Target, Neiman Marcus, and Michaels Stores had all been hacked late last year, company directors have embarked on a crash course to understand and combat the threat. Next month, the National Association of Corporate Directors will meet in Chicago for its first Cyber Risk Summit.
''This is a sea change, right here, right now,'' said Davia Temin, of Temin & Co., a New York crisis-management firm. ''The risk now goes right smack to the CEO and to the board.''
The data breach was the last straw for Target's directors, who replaced Steinhafel as chairman and CEO. He had been at the chain for 35 years.
John Mulligan, Target's chief financial officer, will serve as interim CEO. Board member Roxanne Austin will be interim chairwoman.
Bloomberg Businessweek reported in March that Target had ignored warnings from its hacker-detection tools, missing an opportunity to stop the attack sooner. The breach compromised 40 million credit-card numbers, 70 million addresses, phone numbers, and other pieces of information.
After the attack became public in December, Target's reputation took a hit. Its US comparable-store sales fell 2.5 percent in the fourth quarter.
Other companies will probably face pressure to hold executives accountable for their handling of data breaches.
''It sends a very loud and clear message that nobody is indispensable, and CEOs have to mind the store in every respect,'' said Howard Gross, at Boyden Global Executive Search in New York. ''After something like this, a lot more CEOs will be taking a hard look at their security.''
Besides the June 11 Cyber Risk Summit, the National Association of Corporate Directors has created an eight-part video series that explains the basic issues to boards and how they can deal with the risk, said Ken Daly, the group's president. A 2014 white paper on the topic has become the association's top downloaded report, he said.
''It's been on the radar for a while, but surely Target catapulted it into the big time,'' Daly said, adding that the cyber summit will probably sell out.
Target's failure has helped elevate the issue from a conundrum for audit committees to an issue for the entire board and top executives, said Jerry Storch, a former Target executive who runs his own consulting firm, Storch Advisors.
''No one really believes the CEO could prevent a data breach, but the CEO is responsible for anything that happens, both good and bad,'' said Storch. ''That's part of having the job.''