Advisory firm wants majority of Target board members voted out over breach

A company that advises institutional shareholders on governance risk and proxy voting issues wants seven of Target's 10 board directors voted out over the massive data breach disclosed by the retailer last December.

In an alert released Tuesday evening, Institutional Shareholder Services (ISS) called on Target's major shareholders to vote against directors who are members of Target's Audit and Corporate Responsibility Committees at the company's shareholder meeting on June 11.

The two committees are responsible for overseeing and managing Target's risk assessment processes and reputational risk, ISS noted in its report. Specifically, the committees are tasked with periodic reviews and audits of Target's risk identification and assessment practices and for responding to and mitigating identified risks.

Members of both committees should have been more closely monitoring the possibility of data theft especially considering the amount of credit and debit card data that Target handles and the fact that it does online retailing, ISS wrote.

"What may be of concern to shareholders is the failure of these committees, and possibly by extension the full board, to recognize the potential threat faced by the company," ISS said.

The data breach showed that Target was inadequately prepared for the risks of doing business in today's e-commerce environment. "It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach," and subsequent losses.

In addition to recommending the ouster of board members, ISS also called on shareholders to vote for a separation of the chairman and CEO roles to improve oversight and management of operational and reputational risks.

A Target spokesman did not respond specifically to a request for comment on ISS' recommendations, but noted that the company's board views security as a shared responsibility.

"This oversight occurs as a continuous part of the Board's review of Target's strategy and specific initiatives that support the strategy," the spokesman said in emailed comments. "With respect to information security matters, the Board believes that Target was among the best-in-class within the retail industry -- we had made significant investments in data security, and had been certified to be PCI-DSS compliant."

Regarding the proposal for an independent chairman, Target prefers to maintain flexibility to determine which leadership structure best serves the interests of Target based on the circumstances, the company noted. "The Board believes that there are many strong governance practices in place at Target that balance any risk of concentration of authority that may exist with a combined Chair/CEO position."

In discussions with ISS since the breach, Target acknowledged the need for better internal processes for identifying potential risks and for putting less reliance on external risk reports that suggested the company's systems were robust enough prior to the breach, ISS wrote. Following the breach, Target has also identified the need for a chief information security officer and a chief compliance officer.

"The addition of these "new" positions raises serious concern about how Target could have been running a business of its size and complexity without these permanent roles," ISS said while also dismissing some of the steps the company has taken since the breach as "reactionary."

Target in December disclosed that unknown hackers had broken into its systems last fall and accessed credit, debit card and other data belonging to more than 100 million customers.

Since then, the company has quickly become a textbook example of the consequences a company can face in the wake of a major data breach.

Target's stock price has declined by more than 10% since the breach disclosure, reflecting a $4.2 billion loss in market value between December and May, ISS said. The company has already spent more than $80 million on breach-related expenses, such as breach investigation and remediation, credit-monitoring services for affected customers and legal and other fees.

If the experience of companies such as TJX and Heartland Payment Services are any indication, it could end up spending tens or even hundreds of millions of dollars more in breach-related costs. Already, more than 80 lawsuits have been filed against the company over the data breach.

The breach has also prompted executive changes at the highest level. In March, Target CIO Beth Jacobs resigned from the company over the data exposure. Earlier this month, the company announced that president and CEO Gregg Steinhafel was stepping down.

Not all of the changes are solely breach-related. Many analysts believe that Steinhafel's departure for instance, was likely prompted by Target's botched expansion attempt in Canada over the past two years. The same reason is likely to have contributed to the company's lower stock price, but there's little doubt that the breach has played a major role in the company's woes.

This article, Advisory firm wants majority of Target board members voted out over breach, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about retail in Computerworld's Retail Topic Center.