A company that advises institutional shareholders on governance risk and proxy voting issues wants seven of Target's 10 board directors voted out over the massive data breach disclosed by the retailer last December.
In an alert released Tuesday evening, Institutional Shareholder Services (ISS) called on Target's major shareholders to vote against directors who are members of Target's Audit and Corporate Responsibility Committees at the company's shareholder meeting on June 11.
The two committees are responsible for overseeing and managing Target's risk assessment processes and reputational risk, ISS noted in its report. Specifically, the committees are tasked with periodic reviews and audits of Target's risk identification and assessment practices and for responding to and mitigating identified risks.
Members of both committees should have been more closely monitoring the possibility of data theft especially considering the amount of credit and debit card data that Target handles and the fact that it does online retailing, ISS wrote.
"What may be of concern to shareholders is the failure of these committees, and possibly by extension the full board, to recognize the potential threat faced by the company," ISS said.
The data breach showed that Target was inadequately prepared for the risks of doing business in today's e-commerce environment. "It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach," and subsequent losses.
In addition to recommending the ouster of board members, ISS also called on shareholders to vote for a separation of the chairman and CEO roles to improve oversight and management of operational and reputational risks.
A Target spokesman did not respond specifically to a request for comment on ISS' recommendations, but noted that the company's board views security as a shared responsibility.
"This oversight occurs as a continuous part of the Board's review of Target's strategy and specific initiatives that support the strategy," the spokesman said in emailed comments. "With respect to information security matters, the Board believes that Target was among the best-in-class within the retail industry — we had made significant investments in data security, and had been certified to be PCI-DSS compliant."
Regarding the proposal for an independent chairman, Target prefers to maintain flexibility to determine which leadership structure best serves the interests of Target based on the circumstances, the company noted. "The Board believes that there are many strong governance practices in place at Target that balance any risk of concentration of authority that may exist with a combined Chair/CEO position."
In discussions with ISS since the breach, Target acknowledged the need for better internal processes for identifying potential risks and for putting less reliance on external risk reports that suggested the company's systems were robust enough prior to the breach, ISS wrote. Following the breach, Target has also identified the need for a chief information security officer and a chief compliance officer.
Sign up for Computerworld eNewsletters.