As the latest TJX saga—the banks versus the retailer—unfolds, I cant help but be reminded of driving along a major New York highway. Cars are speeding through every lane. “What are the chances that, with all of these cars speeding, the police will nab me?”
As the legal arguments begin to be made—as they were the week of Oct. 15 in a Boston federal courtroom—there is little discussion yet about responsibility to protect cardholder data. Most of the TJX defenses seem to be variants of, “Everybody was doing it, so why pick on me?” As the state trooper would reply on that New York highway, “because you got caught.”
A major element of this case is proving fraud. To do that, lawyers for the banks are going for a sin-by-omission approach. By not having told MasterCard, Visa and others that its security was, in the words of U.S. District Court Judge William Young, “antiquated and deficient,” it tricked those card companies into letting them continue to accept credit cards.
TJXs response in court was both cynical and regrettably true. To paraphrase: “Oh, come on. Cut me a break. Everyone—and especially Visa and MasterCard—know how terrible the security was at all of the major retailers. So to say now we were had is ludicrous.”
Instead of paraphrasing, lets listen to the exact words of Breck Weigel, one of the attorneys for TJX card processor Fifth Third Bank: “We have a very broad record here, a number of depositions of these issuing banks. They attended meetings where Visa and MasterCard specifically pointed out to them there are merchants out there storing Track 2 data. Visa and MasterCard specifically pointed out to them there are a number of merchants who are not PCI compliant. So not only do we have the name plaintiffs in this case who attended these meetings and would not have replied upon any authorization, security assurance as we call it, but obviously large financial institutions who are on the board of directors of Visa and MasterCard, certainly they are not relying upon issuing banks or acquiring banks or merchants as to some authorization. That just simply doesnt exist.”
Interestingly enough, TJXs attorneys are using the extreme severity of the TJX data breach to argue why TJX shouldnt be punished. In what is widely considered the worst data breach reported, the Framingham, Mass., retail chain in January disclosed that the credit card data of some 46 million consumers fell into unauthorized hands in a series of penetrations from July 2005 to December 2006.
One could point to the long duration of the unnoticed data breaches as evidence as somebody being less than attentive to security. But TJX is using that long duration to say that too much changed during that time period.
When it started, PCI was barely real and no one was taking it very seriously. (Are they taking it seriously today? Well, no, but that ruins my point. Stop distracting me with context.) Heres a wonderful line from TJX attorney Richard Batchelder, referring to the PCI Council: Theyll “say youre going to have to move to this standard by such and such a date. And so theres this entire period of time when theres a standard out there, but you dont have to comply with it until Visa or MasterCard says you have to comply with it.”
TJXs official position is that they ignore the PCI Council babysitter until Visa Mom or MasterCard Dad get home? Candor is a wonderful gift.
In civil litigation, the vast majority of cases settle out of court. TJX had better hope this one does. If they ever have to face an emotional jury of—gasp—consumers, they may find that trier of fact not nearly so forgiving. Judges instructions notwithstanding, they may not clear TJX because of the rampant security carelessness of consumers financial data. They may actually punish them for it. Silly consumers. Dont they know the law?
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.