The Consequences Of Not Conducting Cyber Due Diligence

As I have talked about before, the PNI division of Staples provides digital photo kiosks and online printing to the likes of Costco, Walgreens, CVS and Walmart and announced they had been breached in July of this year.  This resulted in all of these customers taking their photo processing sites off line.

Costco had previously announced that it would re-enable the site in early August but has now said that it will take more time.

Costco has said that it was unsure as to whether customer data was compromised.  So far, they still don’t know or at least aren’t saying.

So what is the take away here? Just to be clear, I don’t have any insider knowledge here, so I am speculating.

First, Costco and the other customers of PNI may not have done sufficient cyber due diligence both before entering into the agreement to hitch their little red wagon to PNI’s and on a continuing basis.  Although this is hard to tell given the very little information that has been released, there clearly is a problem and given that they are delaying the re-enabling of the service, the problem is likely bigger than they thought.

In this case, since Costco and others were private labeling PNI’s services, the brand damage is to Costco, not PNI.  No Costco customer thought they were leaving Costco’s web site or store and doing business with a third party.  This also means that the lawsuits, if any happen, will be with Costco, although it is likely that PNI/Staples would get dragged in.

Also, very clearly, the brand damage to PNI is significant and could even be fatal.

I assume, and it is only an assumption, that big companies like Costco and Walmart have active and effective VENDOR cyber risk management programs, but many companies do not and no one is talking right now, so we do not know.

Second, Staples may not have done sufficient cyber due diligence before writing a check for $67 million to acquire PNI.  For a company like Staples, $67 million is lunch money.  Unfortunately, the checks that they may have to write, absent insurance coverage which hopefully they have, could dwarf the purchase price.  It is also not clear whether the restart of, for example, Costco’s photo service will be with PNI or someone else.  Lost business and future lost business could devalue this acquisition substantially.

While Staples is a multi-billion dollar company, so are the affected customers such as Costco and Walmart.  Everyone has lots of lawyers.  Expect there to be claims and potentially lawsuits.

While I would be foolish to suggest that cyber due diligence and effective vendor cyber risk management programs would eliminate issues like the one that PNI/Staples, Costco, Walmart and others are dealing with now, it is fair to say that that it improves your odds of dodging issues like this.

Given the size of all of the companies involved, they will all likely survive.  Whether that would be true for smaller companies is not at all clear.

See my earlier post here.

Information for this post came from Investopedia.

by