|
|
|
TJX Defense: Everybody Was Doing It
By: Evan Schuman
2007-10-22
Article Rating: / 0
There are 1 user comments on this Enterprise Applications story.
Opinion: In outlining its case regarding the largest data breach ever, TJX seems to be forgetting about the consumer.As the latest TJX saga—the banks versus the retailer—unfolds, I cant help but be reminded of driving along a major New York highway. Cars are speeding through every lane. "What are the chances that, with all of these cars speeding, the police will nab me?"
As the legal arguments begin to be made—as they were the week of Oct. 15 in a Boston federal courtroom—there is little discussion yet about responsibility to protect cardholder data. Most of the TJX defenses seem to be variants of, "Everybody was doing it, so why pick on me?" As the state trooper would reply on that New York highway, "because you got caught."
A major element of this case is proving fraud. To do that, lawyers for the banks are going for a sin-by-omission approach. By not having told MasterCard, Visa and others that its security was, in the words of U.S. District Court Judge William Young, "antiquated and deficient," it tricked those card companies into letting them continue to accept credit cards.
TJXs response in court was both cynical and regrettably true. To paraphrase: "Oh, come on. Cut me a break. Everyone—and especially Visa and MasterCard—know how terrible the security was at all of the major retailers. So to say now we were had is ludicrous."
 Click here to read more about the ultimate gift for the cyberthief.
Instead of paraphrasing, lets listen to the exact words of Breck Weigel, one of the attorneys for TJX card processor Fifth Third Bank: "We have a very broad record here, a number of depositions of these issuing banks. They attended meetings where Visa and MasterCard specifically pointed out to them there are merchants out there storing Track 2 data. Visa and MasterCard specifically pointed out to them there are a number of merchants who are not PCI compliant. So not only do we have the name plaintiffs in this case who attended these meetings and would not have replied upon any authorization, security assurance as we call it, but obviously large financial institutions who are on the board of directors of Visa and MasterCard, certainly they are not relying upon issuing banks or acquiring banks or merchants as to some authorization. That just simply doesnt exist."
Interestingly enough, TJXs attorneys are using the extreme severity of the TJX data breach to argue why TJX shouldnt be punished. In what is widely considered the worst data breach reported, the Framingham, Mass., retail chain in January disclosed that the credit card data of some 46 million consumers fell into unauthorized hands in a series of penetrations from July 2005 to December 2006.
One could point to the long duration of the unnoticed data breaches as evidence as somebody being less than attentive to security. But TJX is using that long duration to say that too much changed during that time period.
When it started, PCI was barely real and no one was taking it very seriously. (Are they taking it seriously today? Well, no, but that ruins my point. Stop distracting me with context.) Heres a wonderful line from TJX attorney Richard Batchelder, referring to the PCI Council: Theyll "say youre going to have to move to this standard by such and such a date. And so theres this entire period of time when theres a standard out there, but you dont have to comply with it until Visa or MasterCard says you have to comply with it."
TJXs official position is that they ignore the PCI Council babysitter until Visa Mom or MasterCard Dad get home? Candor is a wonderful gift.
In civil litigation, the vast majority of cases settle out of court. TJX had better hope this one does. If they ever have to face an emotional jury of—gasp—consumers, they may find that trier of fact not nearly so forgiving. Judges instructions notwithstanding, they may not clear TJX because of the rampant security carelessness of consumers financial data. They may actually punish them for it. Silly consumers. Dont they know the law?
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at Evan.Schuman@ziffdavisenterprise.com.
To read earlier retail technology opinion columns from Evan Schuman, please click here.
Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.
|
|
�������x}r㶲s\@♵M"b{)ْgƶ,8:U*$�ER�e��oВ/xjl �Fwh4#�I"gnZΘ̦dwꚃ�>]K$wB}�w�N�UQV C7_/(�bP�<�HwO7n[c^0�R�a���᳙*,��?$C5në |'3j
�`㥨��aP`\�9t}�
Go&lw��"�ScO�$ӡ��NfI%p'0���G^C]õ]��R,R͌eCwt=��P��z�OMҳB�(�$g�>v?$?Q Ig%K�a�W)K�k0�~b[�4I܃N8C�En�ڏ�U[۾�t�wgyHff�r�t�9a�&�ԃ �}(p}=\'BL|:�/EӝfؖqSth(�͑�ZMQJʁp�Uwcwm9{�2+�Qo_wTTMSEe��u7�ںs��m9k%�sruO}vN�6y��vtx//;YHM~c?�0QYTJi�/�ZH���WP=��uϑkzQҏ[-[��J�i%�٥vdY̞o���f�V҈�g�UU�Y;~K~2/˫NM퓏W)7f٘Y�ji��d�m�vb�!?Z�
V5uս�itN=d't: +?9VU'?��lxiuH�54Y�01\�
\V+�Hj=2�IeLBusB
,_Ndo?�!}_w��nr@
i/�],{beQ
S5fh�X@�?$eR2ML9�X@/@שS a�WtB=88m&T7oh�2��4 Vfmp��a4z�@Lt�&:h�)5?�&9gMa�b&DJH?�є=mZ^$Pe!P샖_.�� jΫ�ﲢٛ�"On�;�zL*\��R@��1�Al8{Ä*^뻹(4l=�j\��֛esJ�Vt]�h�c;]g8m7-һ^5?a$шf�",�$��M}sQV��1|`2_;ڇʁ��Up�-Aqb2B��c�=M:gvX�,��0��ZG>O;SjZi};Ni$|N���I�}ѦM�ޡh1�@�
L�na�
8
V8;
t�#uә�=��W45W/h�`G�I�
�l"�&q���3)к`��o`2à�F{t(
�,/��G`\@4�8`�$8ʼ��E�!1Y@��X�ȁ`sĵ[ݲeǀԜ�{:�;r%Ea1�CD�ȧ�$D�!��-i]�R@A�z8��-��,rr<���/~#AvGBjy?m�lry 3w�rvn2�3,BV-KїPf%i2kh�ƪń(VFN�1|�(0��Vf)�xf&i��&NHZ:'4$a.*d٢S9`�c߽p����7,kR2G�l/L+f��N(A\_�.Ƈ5L[nlQr`8 0�:|Ch�2�i�{MYguϳ-j���r�Ǹ!W�q�9`n5�ډIVB!7O)wz@atɕU.F�iJ�W2�1�8�FL�yK
('��wJFJ�V�!zh'>eg�HlYJb-Y~k�%fcP.ou�riO_�%��9&ےxmEڠ�ueLGyK-#��
IHf�(XK+e�zlxy���D62�C�i�n
Py�\�{8`O��7l{`(�jrIj��#S�V+kVM^Ma+ �L��
�4
�o�p�*7`bB0
OaN��y6rNz{zl.n� �8x>JeH�כAB�'��[BSkjj�33�-F �
o�_�׆�K c*8tԳtgqq?[Z�N®tєg/hOӫvp��uу=9Je!6�#�{e�{WH�LZ`!?RRՄ4���i/#Y���X6Tȵm.0}�ugNPOK-s˙@�'g@:"ZC�GѠV���Ē8riPzP(
cW�E˟.Y@Y�*#܊�W�k�
Bo` 12l�3u�/.zr|pݱM% y�<_RJ'2?CU^ٯV�R�w�-"jTU�j�SCjzVU
L3��)' Sf��� N|_ћxũ1z�tU9�kJo��m��^R39X>>:�
'01�2&�z@j9ajv�6<~0�(r�E=4!ݹrI6San0-�ѝUT&KVg=�i�b�GH��e�,]�r�.�_�a>Z7i`�rdd8+ѡ,X���rMTՑnR
U�����tT#�C�Wt��a� �X�]Q�iSm���ؽm?VNg?b����:skx�豸<
QB|�7z8b&Q�ajY[�⺪T�j%}gV��{oR64F@�2<"C��8\�bS>{�tV{PBK&nƚ7�3}&mnoG{_x<��ErN?dZIp|avJrekH˷��bgf\�itLeb`l
"Z`|�i�-X`&c1�s*?
.}l�3pڳ.�`Mɧb_;(Xc�փ0 HǸ}�73Onl*r1=_�?J=�[L4G�@V1-0=��̞�̝�A
m��ۨ��X9)6�?`�(vP�J`Y V8g[}DS8ߊIj�f�RMOT*%0=k@"TA�ұg.@C׳@g.7^y"
ς2w4A̘5
%
=EЋvc�SLJ]��I�TY�) jq
g@Vf2UݯT+EzX�z�,)5rd�&R�rE�E�7uȋ7�P'#I(U?}P�ud*WKU�~�U��rm4r�Ok,���ش,6�"h -���z��
ezrP-�,sK"hJgԋ_��r[rn)ty�4�ņ5GQh-BwYb
`��3W?f�44Nb�VqDM�?ҁ�h)033RlȪV;P%봚j%I=NM���=1h+Q�cKB�uṚo{{kC4�÷��,+L)~3�9�Ȕ:)xT״}�m\�ߑN[ 8Z�J^-�ç,Dr_.���ekR-�T8J3��,�$�e,zǃx]!6p�s���^ar0qq�8(��-E<9_�K�84H
xϰL�'^+*ŵ?hxqLL�_~ۅ^k5eQj���E1v�kJV�~�ZgZ�qZ�t(+w��IIcԧt<}=3>&L{~;Atf;C {D>;�><�{{q 4
}E\?��U˧�W�-sg�a\�dz�LR(���ɢ]�2�~ܮ~^6[�aFڧ(Z@�iD*~{.7>t.ėlOg+~�u.R ~Rz0W�N<|8dIN*�ax�ݼN8>n48��Z&IEyĘ���3��6� B�@��˸tZ+,�8�;XKs! }�=#٠b�Gkh�Nخ;+*Q�֭
Bf-.�3bB!bFG<؇AP#��{ z�H)'4
�N5>�\bϺ;$��VB�0F�_Th�)4zu�Sxjt)��5�Eы�ſ��}��:}iF��`�o�e܃�*WVz[k':_Hl��g�4zYQG$��r>1xc�|.[�im}�z}H&iR'D[3pu*hKhw�QZ4ղoeW!=�
��lj9l0 �!t�Q^C��;GNՃĶS
g>#�(�3rc�vd\Q�;�yZ1�?nO8Z7\ta_�9�`�|;p�s�G5\;�>'cv,Q7&�}��Z9�}
DK{,i�;�;��坠P.Vp9c�|w=��lҿǥ̷NuA�?%�>iWy�09nJs dj�BOHԃb5zÿ뢧 � �r[k_=�g䢅q+ћ^QW�{20t[d�ؕvd{qO�n<�]1�鐧4vlLcI")VԺUw7`�YpJEOV
;ld+NE�$�,n�9�P2�vAK�JG3`Ⱦ�qC7�bR��c�o'�X�]&
{~W*]ۣGoqww~=Ҳ(�r]&ZDNpw5jyAJR,y^]V��D���Hڽ]
Fu�U6�mt_c�Z�yi�襶N<�;曂;��`!3( ��а�5M��H!q��� )4T0h�l?|n�wcJdjl�� 81Q�h�o9o�٦h��
�"�a'�zYC,G�?%IFܱ�So-*O��o*N�Ɗ�̈́3W7��p&/5;U�)ye�l�ƚ�.o4y˭(L J���»/Vx�e�[bw[8| v�tj9J[~vːu9:x+>ZV�]Pm6\rFu�㱯)&Q�Y|w}+�Zxꎴ�TҜR23��/AN_8#_(e�=�rߧN'!%,Dt"`�rA[v �}/|[1no�_PxLꅮy;�2UU+ C�4&�1?0��St;��ҝ۰�Jz̜6��IÕN� K3vh'#z8W�5��m<&b_8Sn)�Ğ'1Sw}���{r|fˬ��\�ѸL��xdћ4@˂��9p�O°cy|*��~�iN�e�J&tR1� �[�yuYRa�( �R]n!1$�h�S2PI�<2:>�)�>vc"UQ2�)�jW�{ζlQ ~lOӪr,�v3M:9X)WjjKrUybTntIJ]y��/Rr⊒^ۃX
��P�f8�Lm|pde�?1#wMƈ܄^d:$�
�,8�U
zjbO LC6(���AsI:Rye��nH\Ub)�2Kxy ba1EGI({=0O�Ş('OxZ�_|ݩ%Ml�2E�<�V#қLjW� ��眥mdSwa0C�
&
:0 JqMge01,\%?atA"c �&+��f ۠:a T_߈�x2b)bG!��~MZ$awUn㍦(UIU$6}P/-ggsy�kϥY�Fty$x73��$rY��cc#7Ųsm%g��c�6$U�ݑwAf �&��9�C���`ih�-I�a�ƍ^��oC/C���xܽ^֔�(q?qm�@Lq���a�B�c�s�,�z}%)�捭<ʛU��K(-#:��r�q�;:�9cj�`W7@52�-�@�2@��3�wH#����Fj �U{ ��|�R}i~8֝@
]|ne��O1�_j�^5;�^#t+fI*kg��3�H}]}���uq7G7G7G7G7GdRQL#ZS�sV f5=Lukakm�Sz�(x7[.-L|ύ*�!�HbkkH���7{gSsL?w�Rz4�O!=��xd�R/3/0E`���9�w%'Y3}�U|Q G�JX}i�V`E&@|
gc��!�<3SȎKD}9;9�B.%R�,R/^m`��0?p�$@�IL�g#ӂy4e�O�!=etXj\G;�N-w;gmrE.?Q!o5q�À �ˎ�z�zDؒ�ߐQ/n]�b�'�`5kY��j�|�b:\�J^k7�Ā(}C#ǂxL(z!�V#sP>���b?�1�0-u�Zc`g��\#LW]?fz55_�?��0m<�f8�emt�-��^z͍[`x!�a��q2^
;<'m2;[Тe?ڑ"@"&m�P�,a.Xn/�)@��C9�jXIdc7FkoQ>t 0t.@ڽX^o�ʻVO
�쵂R4�ş
zK�)粨)0zm)WD&�.^Y&T&��=y29M�ً�xmM�T�l�s�!۩I,T��m
Z���ߤ�L)m_mױ�$L(NUO*�WڈYѧS.#{Wrs7Z~�rvۀ͝hAm�K=�Ь%5VfX*j%M"q0M+�i.┉fae�O�%3ߐ��I5T���"I"�K)z0�:kҽ�>u]Lx§��@QՂҞ_FS#Xݷ$5O_���m-N�ړuYİO:x��-r=�
Tw߁^<=C�!��@
aID����njrl7w�7w-
L3.N-£�E&���QRo|֊�OZ�YΞëR�+� 3X�0>�I7!7}^G%H�c:��^)�PAgXt~GD)L�"{4[43\0k�`��꤯�7v6FʛRL](L&�QX#Jw{R��ONxNtJ)LšE||� I-?s(p���7�g{7@=u �m.3�Of7��a�T�#=�t�_#�Th���&#/�z~.u G2(kX5X�m�È��S2C[Ć@TVc#�k�x|�_{DYwE�i.UmQ�eos��+A#샒�=�%x�L ,q*)Dw�$a=?Ñ:xS[|�/F[���aZ�i։�[#r�d! `,%7��TXA0k%h�Ļ(ĒI
;���^R_V6TPR�Fm.�MEfIȢD�_E\1�]CU�ub? @�,ttAk-c"K]Ζ1x~��[/Mz'5aLp7P;ɫlNz� ԣ:BMŴ�WT#j�%<���=�`s<�IM13[Ok�a`;Ӛ ]��lإZ�/mLt�X8Ow|
e�-�JvԘ�}-*|);,�Z�+�Eq M���lkT�p*Bק6:F�̽KDMD0FJ
�i%V*#/rCyQ�iw~Ǯ4U0}j�e-�y�s䳽*r3���,,�Gc�0O0w�\KJ�s4]�:Ra
)zd
HO�Xs`G�V$(��؛�Av�qԀ�I�a>;�(�-^`̷UKphkY\Y2lw�K襃ڵϔ8fI IGt��{{i/ �~HګkٱF�Kb=Μ(ؑ}NLU�tM-3^@yj�4Z�M��?�jsA�s �ʒ2;@��lfmmYU)7�g%.0HS�oL`�sQwt�c%a8TJ o� J,9`V9H0�oYw=X>��*1Xt1)Y9�|ɈVs�%ū��*5q�^N;�ǘ"x�x�a aF
a?ϪͲ;IoP}sY?e=a
�'2u?|{~�BJ{=Jm~#�dM-ã�|U:�m|%w9%m[L�{�n5�+�
Stܒ#�?�)){ꞪߒϞ\i480l%In�511K=
o~{@qq
81q�,d�-D|E|z['AU}�>l1Ghb#���^)
)`�v�CsF.v߾ꡇ@�G�LGXTܜOuq/ `J,Ys1�z�l�+Ja S�-�#k:,�˘0[ Hh�`6zS�p��Ւ s)؇c*1OW�=@)4z\䰟aH��p=S�-2ȘhD
MQ VHxLir��tv�n�O�KZSCl��d
�D�ps}�ot)mDRRiF�c�t߰�Þ�1;mz^G#;l/u��#_K&(?,pD�
�{GLƙ;fSZ,�� ��~�.1�YbR8(tQ:..�(�� o�I�YP�XP؟�S?pk2�ꥦa/x�a 3��s��`EPf00��apLn?ѧQXO^NxC�Ln
1�YG7`C[UE�Y|ob�L,`A~�Lmݜ�(�8���$Ѕ:x,@#!��9ω��Jk�)�
7�úޛXF #}�Aa�P8�Z
��+z+5'I]S@)9CȮ�KTU:]��͠YQ^&*_Ӕ^*BI]��/ �P/HZ�
�W{Pɾf�:��1=#7���Wrڽ"MrznU^Y��Sa[+�
|폺Uw'˯U_hZxP��3dg&SR�o4E�š6u\�_c\qxgYx>+ah,.6!w=N�JW6j�o&Ll��sQ=ViJp�:�Пgg:^X�9q�.x
RЦoJ�c�UN�{0.8���SL^}'v�ԼVxy�xS ?�_A&pj3�ݜr�Р)?@�|Py}N*4:r_'\C;9+4>rʿBg�,�>v9�s?�y9=��?�_??C?�}/P%��ߗ�]Cu^9u�^C9_�]_zy�ʛ9rּą)�rq/
苼UrXB]�@y>(P/nts��:WJ?s�z9^�}MNF&/˓n+��]a_[k3/YSݲ�Iլ �6
CGP�/<*Y}Mc�h��to$.�rd��&}:=WWvl+x._[nNJ>S\ȜH�WɴVی �x�FUs"X�5̽qo>uxbMw^1��&)N©�'��ݞރ�轊r m�v#}Ib��a�^į�L�&E�F�ߘ_k�=�rW�̃`ƭ;6~Ǵ"��U?IP6��Zw8bz�:w|l9�~U�Z�Q�'8ۈq�dA(e6L6�e�_a9v�*n&dO��*{�Oq���A�nӕc��f��qgʓ ��"�d`[V``x5��4x��Sz_H��.;�m��?E�{QB�
n`Z(>/~~ Y장z@�;j�sқ�`&<9/V$|vr.i�G�<&l�l
�1`=F(Q�O�7q�ȾKspn�n�(}cz���Bybh�:"QF{&A�}F^\�� )4�MϫH�P�-]�ylo()�y+6*ن��0U7VA֒3�Y,�\DX�Z�@.ɿlٹs˜2J1Д8ٶ2#OA#r
/ͫ�e[� ��O"/�C24a�(f�zc�<��z��nG}L��Om�.�H|�n4~U�f2{O;:�з��57d�8Q|
yQ�?�Fu:h��Y �)67-���`zMF�6iZDR�*,�l'f
,���~sf㿴#Q�^.�9�1�"<�oc3��)+~`[t%(�oe3C7Dn0Br
d[\Oօt�v�\jG^�hb�'/bA-xr&r*]x�D4;N7/�39ʧ3�~_p��<Ǹ(X��+.9�
^Y{N�g!t<}=!�M*`'>F'ώ�/}B=FBl4.�$·�'ݳU��nɧ�W�-)zFYS$;ݫV;�AHec]6[ŇxOοa(X��E�hM#01B4[eUUSA$ᑭ7}M1�uc*@ٯ6vFًᷞfSذM�*d.%r�R�+_gЧTN�&ZJ܄;"�6BKslt�6� �� R4�)��
|
Enterprise Applications 
