If you haven’t already heard, Target, and its security auditor, Trustwave, have been sued over the data breach that occurred during last year’s Christmas shopping season.

This probably isn’t a big surprise to anyone paying attention to this story. But what’s helpful to those sitting on the sidelines is the path that got Target to this place. Especially if you’re in business for yourself.

Here’s a couple key decision points faced by Target worth looking at:

1. According to the lawsuit, Target knew in 2007 that their systems were at risk.

Okay. So, why didn’t they correct their systems? In part, because they didn’t want to spend the money required to get them up to par. Bad decision, on their part. Sometimes in business you really just need to take the plunge and invest, especially with something this important.

2. Target outsourced their data security to Trustwave.

Many institutions and companies rely heavily upon outsourcing, especially if that organization doesn’t have the necessary expertise in house. This isn’t a bad thing at all. Unfortunately, in this case, their chosen provider dropped the ball by declaring that there were “no vulnerabilities” in Target’s systems, even as late as September 20, 2013.

Hindsight is always 20/20

Maybe Target execs didn’t have enough IT or data security knowledge to make better decisions? Maybe they just didn’t take their data security seriously enough? Maybe they did make the best decisions for them, at the time, using traditional cost/benefit methods, and decided to roll the dice on this one?

Regardless of what got them here, the rest of us can at least use this as a learning experience, and hopefully avoid some pains of our own.