Enterprise Applications - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Enterprise Applications


Where Does TJX Lie on the Naughty-Nice Line?



 By: Evan Schuman
2007-12-24
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Enterprise Applications story.


Rate This Article:
Poor Best
Opinion: Ask "Did TJX do what was reasonable and appropriate at the time?" and things look a lot different.

As the TJX case all but winds itself to a close, it's not a bad time to look at everything we've learned and try and answer the holiday-themed IT security question: Does TJX deserve a lump of coal for the worst data breach in credit card history, affecting some 100 million credit cards?

Regular readers of this column know that I have had a wide range of less-than-flattering things to say about the security setup of The TJX Companies, but there's a broader question here. TJX is a business. A $16-billion-a-year massive retail chain kind of business. As a publicly held company, it has a fiduciary obligation to do things in a certain way.

If we move away from the question, "Did TJX do everything possible to try and protect consumer data?" (which merits a "What planet are you on? Of course it didn't,") and focus on, "Did TJX do what was reasonable and appropriate at the time it did it?" things look a lot different.

The latest news was utterly predictable. TJX's deal with Visa, in which TJX would give money to certain banks in exchange for promises to not sue, was approved overwhelmingly on Dec. 20. Two days earlier, TJX also worked out similar settlements with most of the banks suing it. In short, only one bank is left suing TJX and that litigation will happen in Alabama state court. The consumer class action lawsuit is essentially settled as well. (The final approval will come from a federal judge who has already said he will approve it.)

The core problem with the TJX cases is that the lawsuits wanted to accuse TJX of something that is not illegal in any state. They wanted to hold the retailer liable for not properly protecting consumer credit card data. But there isn't anything on the books in any state or the federal government that requires that. Some industry efforts—most notably the PCI DSS (Payment Card Industry's Data Security Standard)—seek to require it, but those efforts have no muscle, other than the ability to deny a chain the right to accept the cards for payment.

But the persuasive power of any threat is in direct proportion to the likelihood that said threat would ever be carried out. The card brands might exclude some tiny store to make a point, but the amount of lost revenue from excluding a Wal-Mart, a Target or a TJX would make that threat rather non-frightening.

One of TJX's defenses has been that its security wasn't materially worse than any other retailer of similar size. Sadly, it's a true point and one which we made in this column many months before TJX made it.

But that's not TJX making excuses. When the chief financial officer and CIO of any retailer evaluate technology investments, they look at the issues of return on investment (a big-time Achilles heel for security), risk avoidance (the savior for security) and keeping up with the Joneses. Expenditures will seem prudent as long as the company's security measures are not dramatically different from those of other similarly sized retailers.

Click here to read more about when TJX knew about the data breaches.

Let's take a quick look at the lawsuits, because they become relevant here.

Resource Library:
Myth #1: TJX was sued because it was breached. Reality: Tons of retailers are breached every week. TJX was sued because word of this breach was announced and—much more importantly—because TJX has deep pockets. Without sounding like a corporate titan apologist, the suggestion that TJX was sued because it has money is really not that far off.

Myth #2: TJX was sued because its security was pathetic. Reality: this myth is a lot closer to the truth, but again, tons of retailers have pathetic security. To honestly evaluate TJX's decisions requires a lot of context. Had TJX invested a lot more money in beefing up its security, would this breach have necessarily been prevented? How about future breaches? Had the TJX CFO asked that question a few years ago, I think the question would have been, "There's no way to make any system completely secure, sir, no. We could spend all this money and theoretically still get breached."

TJX was spending millions on security and its security systems—although weak—do not appear to be that much worse than others in that space.

The lawsuit issue is an interesting one. What if TJX had approved all of those security upgrades and still gotten breached? Even better, what if it had spent an extra $100 million and made its systems quite secure—much more so than similarly sized rivals—and avoided a breach? Now what if its profits plunged? Could not stockholders have sued the company for having spent money recklessly and needlessly? How many advertising campaigns and CRM (customer relationship management) programs and Web site upgrades would have been delayed because that money had been put into security?

I'm not saying that TJX was blameless. (I'm still waiting for an explanation of how intrusions continued to happen for multiple years before they were detected.) But I am pointing out that security investments are among the most difficult decisions and we need to be careful before criticizing those decisions.

A small window into the thinking of TJX came out in court filings that quoted TJX CIO Paul Butka's e-mails. They revealed a thoughtful internal debate about wireless security upgrades, in which cost was indeed a consideration, as it needed to be, and there was an intent to eventually make the upgrades.

That said, 'tis time to make that Santa Coal recommendation.

I'd say yes to coal for most of the major retailers for dropping the ball on security. Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). But to TJX? I'd give it a pass.

TJX theorized—correctly—that any breach wouldn't cause any impact on sales, as consumers (protected by the card brands' zero-liability deals) would stand by it. With that regrettable fact out there, it would have been extremely difficult for TJX to have justified spending much more than it did.

Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesn't plan to stop any time soon. He can be reached at eschuma@earthlink.net.

To read earlier retail technology opinion columns from Evan Schuman, please click here.

Check out eWEEK.com's Retail Center for the latest news, views and analysis on technology's impact on retail.



  Reader Comments: Where Does TJX Lie on the Naughty-Nice Line?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Enterprise Applications Articles          >>> More By Evan Schuman
 


x}rȲ8bkܽ.lc ݞ8h,$-IY?_v8x2J7.|٧6*2RY{$+G̢d >5<`GHRmoa0TE[ oHjNZ@p~-slWsj;j{#|&J{'ATG! hK&OV{gNlN1ecs_cp,F=$(kzZC'A:4-Z P8&D.{L~Thg;9P:xtHf@daQ/*! lpa+j1yh O,Ӈ;)0۱ȭB ¿jxk׳:߂ݸ{g$SNE ;6, 0tjvfPx߬ Շ70SK_3;nZK=0Fp&\ Дag8g]ib&DJH7єmR—U/(AK/- 5f>]T${3BDȃ`g@ BDԐ?CC0&pIza.8 KC.Ӌpfyٜ(҅%]Wf.ޢG*<Λއfto:~j7E8^%g 5F ,heݴ8$!WVG5MG\:M&EyX99ʑ61p-~~2dLm,5,LHYA^gA`*:)~ҧ >ҡ9Vm'!|Бd0mx#Z.K3ЍIXn`Vt:hQ{4ڭ,%_bH}xS՜v&ztoP`9ImLJ!??6  G`rxk #`D+wG@b,TE}vACơ@XzC `X.l>0-0g%Km@i0yzbdQJ 4$@!-i]R@Az6W; -8,rr: (}"!bxENk@PGҕ3vjxvnS,BV-KᗄPf%e2mhƪ̈́(VANl(0Vf) {2 yvw[=&nQ>\jZuϙܑ-Ӿ"?V 9uC \D r}ͺX 4ؐ|&B77&7O wz@nehI*#w4 K)dj~#J}}@)'gJFJv zh'>eg HlYWo%,ZoEI8ۥi]k%X87Bɶ/^`a6E]Q\ROHD@CR)Ե 6ŠiY^`(ytM̆ТQ҆}T}Ss . XUM.rucd25l\*EM":Y?l d A FI}(~?v( ofsجSqIGM- lr.g-H ǏР0W}2PaI5qZ}끊7_Ɲ/0cŠ%}o2rr:|ꚺ;]- aGK+Ws4&mI8` Dz0Sh2f,ÑiHuߴc#"R kH KE1Iڏ;&_Gƍ [d9-0cYc6eDm&(uEZ$mӞ@#W@:*ç c"D8r_() cG?_w3zau `'rnK āhͰh8`]zq8cJrEe )(J))` L` T㎾2:EwH_ય݉}sX,R~K>̇G>Y-&1;h'0d37  s;OWØ)2+N<:MXH(2 ܛ 0>A,Ca&:`BE M}8 #y@{y.;Դ' &5b34JmәFt)Do`~)Ԩ?UU)U *~cZ*joR.4F (dQ@4@#q`C_C.<1*_ hėX_ѡWX tYЛIl CC?Evvsl~EYdy3ir3}o&s4Ù̆yr8z|Hg\U|{kD^2>W9.^ٸ c hwy:ꪦ`x hRYpg#HY9޼^:9ez6eVA~XevQ& 5LУx{ +7~1Adeg+|&:vΩ0v 0\]>wEL =#"ّ{Q!<iVbWa;:cOR X!:^ivM$JS-!Íj BY-* 5CED\w!&C J 7lvXCk{Lo9 =2j>sP:*yHd3 Gا;HCM;ؖR=PHG0rX|V( < rrJ GeNdPŚ؈'?b$P^Jn%OXO\7V~߅Ӹ@oٷP K1NF1>`KC<t0lgW^hy' $aNi 8EZ|Isչ寛uSJ:܈;OjtK1KAVC]59/g`d IBq2 7?<$E:wdbԎ8%4 \HG-~=rrPR9Lĭ's*([wiQf%}yjNtaJ<:Ƞ3%tBY[=I򲚔Y'ƈ&H. 駡闌fr5Z!.=[Mz{@Ĵ&{>wg%}c#y~ςVpl:RCuV B}$XyKOw4Ţb'%hw:BrcQ7Gs`N3|hSZCe^=u_T;Lm3yl#ߺ3'^D 9ʼSy`Zvu +;No͗>w}>2k{R̵jRs2fƄ{`ճs4GלO(pE3|/"6tJG(ЪEWsXs\uS:t vڕg)NBxYapLuF?!ם_~w j6a}%X@R#|&~>xF]>zuS意g93r~jUő`6 ݥoV8i?{ѽ¹"Pq;:`)R{I6ӱ$BUUk2;Ⱦ\EVe.tݕ^zs_+ _bom0d&'zvI JG3`ȞxqO7෷bRcoO{~uI.%~W(TR/o}VZtC.qWG&d/.)%nE *U OK 1n,=اHkY\xlQWg2~O O=pԴ[}MNiPj&Όs$;gr垄J6wVp. Ϧv_ O%FJMץc-ێ!%/hvpU4"[y"N0 o[1΢ Imi|o(o'򽥎xk5% k.W&/o).wi{naa0^ <"s(ı߂[CƧSӆ]e> Y[=e<q !g;UJʑ/6쵍1fn9baDiMaۡa/{e-trDkP%|Vn*)z`1C"[O1:0޵ɗQ{^`%Ri_D^Dw9]S h &M`3MM &&xrM3Y*%東i[quL!ñ㍁yNrt)˲_8z_{iH^_T2~?M̓ykU}6 '{  N6܂cוйaֺ@QSw2g@CX )C3n96$Iro/3 Of{l,:,Ƞ˗Σs{M. ]1+c3peuX,':أw6ZLcyaA~` wO6t6>Hb9h4wsRL>[ &0q޵qBqe½L"ZV׊U{F(?n,ȮZ,JH& "jjP)N]G1)n o)rXf-TTLk.U S!笟<͍fj#^4fҝKlL/R_e!b:FphLxc24&q PT>_Jl4%Sl䣳-pmQi9pIoܢ6@m:#/6- *ҩ'2x@tFH%"739,79iw„4ٝsI-nsW9?\8̗@ro,,l:rL@@TnڒWmsmˊ;rH-6#>T|&/d k]ތ)W,fW*݉*N u[j5.yf7LP kGD;X6hUCdeTl xt?33av&qf0ކ>a$q@8!XKE}״˯D0^0`Rҧ>S=gS%6RWh/a;оj$ꄄy 1jOhR X)%֮VWXuqM7777w\jR|e`PA*R ZY9%vo-Kx[X1X,+P;yj٢1H P"`^ۈ>Le!H;l>pfPܐzП_Z`! %*'a확ؓ rosm[ry2Yg0u_ImitW31xD'=Ig`Alum[rዻL`%OcI.z|\8*[9"VuuVZ ZiπH趷& aKa =/I mjk%R$!\j .`XEIQ2;n 68X/`~{cjϘ4%LE(x4~:Η`;*կidoޏ3'>Y2' _x= ؎Hv`c[$K=dmScPFں7D E"Xۮ-<b }}+S)=ZV"|8M p7ǿ=C-wst(`>9rV7r]ܳyş-/$z69qSqA)}M\"W{_Ј/?tV?캁)"D̹6KA(^BM`d;6CLHj~жmޞ`/@m:,ն=0VgEQ&j]&Uֲַ[#fyN8]ʅ6%b5Zv'&L4-<[yG©YKjl&5RKD:`ɿ+VD)2Jf3L`pDXȓwakgH|`߱1G_Ap0E5 Gl]"Ҷm]=82XG̫Wu;hOw1"nb1EKbgj wϯP5S>&O>Dxm~NG~6k#Gn'я" s@9* ek^g7jE_A=ʹjgϡ6 ךC3* I:nģq4Ebj7xT&e ewƟߣ^Y?`Tcfɷ~w1V^c6[2QȏaD%|]A~0|^~ j~`_<9?%d܊(/ <7Dž xH뱛4ēG~n~ODEG%k('>?GwX1e2ZG9 nbb+\6M BaD0‡캎qaBXEw}8EED-svUQrBYm2} N]QLa!/(!/DȮ~aI{==.Ș$}9q8ʊbMk@fa8%blTI1'p.$XD `C4yuQ!5IﱠҲ_ZK>qNͦ"f dѴ[B.]3sI ʑZrq^XuZ.˘x'f@]3&-E*[ނ0HuP_ѭI UP+$4h^Ǩ:tyLxijbfƎXu0Vz^7X~XuntVڹqX yKmy -Jr55X}yrjLIGn:#H %};q;:E k ئK-µ_5瓔KpʭBף:FyLdLD0FU hJ7Cy^Ӏ}ۓǎV4UU0=jqDw]qr+|m//B .kXGl7c aRJaӪԇo!Va )eIaI.,txZډBLk?JO~[9~` `\z9W-~鮤q׾3b lĭǔ8I`1п{wi/1~Jk6G&˻<0@4yَMUbtm-SDwyj4ZLa"0OZ~\`YXX cG3,&Yqc[TrBYIc0 ":;M;V:'ۦ~M_RDuaTJ[ J=J0+ŘZ9.l1G%/ ` YW1rzM[;iŧ1eiL(1jL!1 \”cЭaUfw<~z*:O5Խ~J$qȚ؆/bN 76Ƕ _{J`߄Co XTpw :{rP*Z-FӋ ̋XH t4*$P=$z̥7b?= .M8}ǃ"Ba#X *>IR7GP5v}:5͟+rݼ^5{m=< Lp@țF>'죋B!|ƒkH ]TWZAxf Os.c58:?pa%}r s)؇c*7ͻoʑ. BR3O0 枩hUȍTdL4B&(qTi+$Oc{W b) ' Q:!.( oIYP,(ϏB5DuKJ8Tmn$|v>h3+-̔,0]F"O=g8= <ɭez``ܳoNUˊr @X:ςlQ89PAg Uoa VH+^@0w4tܽ@#_Чv#DsLPD;NoMp=mZkrڼ[S׊_ǣ4NYyysۺj&ǩ_+}e |Q);KFYn2;eFq*gcͅfU,xW*U^r/J]`Fݞ?VjD(/Ʋ& F^6 BzqvljŵVN|NW%g0CE@Ц۫Jc~ʜ4]V08SDny#fԼU[v(((guzFy; AQ~gρ>_dX_~.[[\(2ƇuF91݌OPi}ʀ]1?mෳ}m}i l3e:P1/3(oCy;:c~A~3:c:0N;:_n?n2d. w32 ׇ }}̠ee]%:IX!g8=!9(/jR,j_y*-yFg賒;Z'_Kɠs3Я!%ߧx|dnleں94 aqʍz^S_xڜꦵp-]h7\/%^a/4ZE/Ѥn|Eq\+< a b{e?VPw;]CҤ]|j.{%])W[O')tk(%s<2g!gs=* ͱ#{":fiǨ*oND1KAF0_xtݣ6O  җe&o3?`jE@' @9_p[aFaגHSG0U5yhoţd?~_<ڻȬuMWVFj+$kày%s"N^]ylߣjߊD,z e%Hi0ZbYz C8bGDŽ[ɞ(#^?&G&^el"?1 kͻYH~âHጽNѯXCcf@pb/[{8z3(x7}FZ bЦ! Fؒ%Dİ-#N>@O'#mX&38M!Po.@cmc{@{_Ac*3x HꮠW&s_" 9oъ^ܵ ΅*K Xm0k`Q{isÄ#6O 5U"yOlBZ&G˗`ػ lcXR/~XW0853]^ȇ~k<:=O)GYY1_ՓZif`wƝ![)|>bZEWVz`L,fhaErj9oFdu't'bFy9u^һ՜#elt> a=,|Ͷr.$CƎ$z 5Գ9wig@gXVd]dA_d|bO6-x* Um$tp;slPFo(9ao5RFX`N놱LZԝ86Zd :LA&Lپ~L\PhQ"3q} !30Q%Ơ)e h ۩#tZwdY9Hr%zU h&<"6: gK—OA帘cw[/AI)H[aD.v^ =c"51}"E a'_B D=$~5|o,C7c]ekA/?kuH3軉fKNvޒǍ־( {}.`6ъU%#t>_ =$nD܅g ߠ(<%*`>'}MUvNa0~NZ]V0"? `nwnںmˎk) 'NFp)N|cEz?X \vHvCX|w^؁;q^'dd9c7s7eWU`gDg~8_ZfH6C|%Jx7 죗iO_d% df3@FC0!Ziu,KEt%(Xp^'A֮hK;>Û_a1\TGx kok3gzϷ<v7sg'+2qN`WH؂{ +Wri`xd+{f:ePEXtl' C[W5`/=2HSސs(.(ZuAƫ1ucVB\ (at!L/Qa˟l׉R#nH[TFE®":q`Ġx^];ѽ!׎RTUSw$905iϱ|3'5ȱ ya1 |d'{6W=?=z3l~wx8YʐLW\DI qk.mua4,Lb9"[ޑQI(Vv؃3e3}"@a+5dBLN Qo +pRaL ; b[и<1q,ӘsϢy9s9K1E~2ztTN~LʥcaPֽE3FEl=R$¨B]3Ay\99.@/I"cXM|aE|1GǩW#nram+ S>a%lt\k/o?Xy'ۭO<|P ؛gg'qnfXvQ;J=۽wߺ"f/\On>@U&s)# ]Wb\)ZMS9Q_ֈV&|Z2Zc{͵ްjYp*$1'