Target board defends its role before and after data breach

Under fire for its role in handling the data breach, Target's board defended itself to shareholders on Monday in a bid to hold on to its seats in voting at next week's annual meeting.

In a letter sent to its largest investors, Roxanne Austin, the board's interim chairwoman, outlined the actions the Minneapolis retailer took before and after the data breach to protect customer data and asked them to re-elect the entire board.

"We want to assure you that the board takes its oversight responsibilities seriously and we recognize the importance of Target addressing these information security issues in the most effective manner possible," she said.

Target would not comment beyond the letter.

The letter came several days after a report by Institutional Shareholder Services (ISS), a prominent proxy adviser, urged investors to oust seven of the retailer's 10 board members, including Austin. It argued that the board failed to protect the company against last year's breach in which tens of millions of customers' personal and financial information was compromised.

Austin countered that data breaches have affected a "wide range of victims" including the U.S. government, technology companies and retailers.

"Cybercrime is a real and persistent threat as sophisticated criminals are constantly seeking to breach information networks and steal data," she wrote in the letter, which also was filed with the Securities and Exchange Commission.

Under the board's leadership, she said, Target took significant actions before the breach to address cybertheft risks. For example, she said Target invested hundreds of millions of dollars in network security personnel and technology, doubled the number of information security employees over five years, and staffed a security operations center around the clock to review suspicious network activity.

She didn't explicitly address the criticism the retailer has faced in recent months, including from a U.S. Senate committee in March, that it missed multiple opportunities to thwart the attack on its systems, including alerts from its own anti-intrusion software.

But since the breach, Austin said, the company has undertaken a comprehensive review of its network security and is conducting a broad examination of its risk oversight structure.

She outlined some additional steps Target is taking now, such as replacing all of its customers' Redcards with chip-enabled cards and equipping its stores with chip-enabled card readers. It also recently hired a new chief information officer and is working to fill a newly created position of chief information security officer as well as a new chief compliance officer.

Last week, ISS issued a searing report in which it said the board "should have been aware of, and more closely monitoring, the possibilities of theft of sensitive information." It also suggested that Target's actions since the breach have been largely reactionary in nature as its share price has fallen about 11 percent.

But another proxy adviser, Glass, Lewis & Co., had a different take on the situation. It said that there is not enough evidence that the breach resulted from board or management neglect. Still, it recommended shareholders reject two board members for other reasons.

Target will hold its shareholders meeting in Dallas on June 11.

Kavita Kumar • 612-673-4113