The data breach case of $16 billion retailer TJX is crawling along, with this week delivering to us a handful of pseudo-developments. Those are things that sound like information, but examined closely tell us little new.
The Federal Trade Commission, for example, confirmed that it has been investigating TJX, but wouldnt say what it has found nor when it started. This would only be news to someone who thought the FTC would not have investigated and that pretty much rules out anyone who understands Washingtons CYA mentality.
Yes, the FTC will make some inquiries, take many months to mull it over and then quietly issue a fine that is near the top of their penalties, which is also coincidentally just shy of what TJX would consider a rounding error. Oh, and the FTC investigations details wont be published, probably under national security headings because it could help al-Qaeda attack the U.S. credit card business. (Snicker now, but just wait and see how close the FTC comes to that wording in six months.)
Ahhhhh, but this country has checks and balances, no? The new majority in the U.S. House of Representatives has pledged to act and act quickly. Were now told by House staffers that the Energy and Commerce Committee is going to leap into action with hearings in “mid-to-late May” about a proposed data security bill.
Great! So thats when congressional testimony will reveal the specifics of what happened with TJX, so the rest of the industry can protect itself, right? Well, actually, no. The FTC probe is giving Congress political cover to not investigate TJX, but the hearings will have lots of witnesses to say that data security really needs a lot of work. And money. Dont forget the money.
Maybe, say the congressional aides, the committee will truly investigate TJX when the FTC probe is over.
Wait. All hope is not lost. What about all of those class-action lawsuits? Surely those depositions will start shedding light? Dont bet on it. Its going to take quite a few months before any of those depositions will be taken and, even then, lawyers will want to keep those details quiet until they can negotiate juicy settlements with TJX.
Why? Theres only one thing TJX fears more than letting this case get to a jury: letting the full details get to its customers and investors. A last-minute settlement—with a hush clause—is quite likely. To not lose their leverage, lawyers will likely sit on those details as though theyre the crown jewels.
What of our state governments? Theyre certainly above political or monetary considerations, right? The multi-state attorney general probe is proceeding, but details coming out are few. We did learn this week some of the not-yet-released states that are participating and that it does appear to be about 34 states involved.
Beyond Massachusetts (which is in charge of the probe) and Rhode Island (which had launched its own probe before giving up and joining the group), states participating include: Alabama; Arkansas; Arizona; California; Colorado; Connecticut; Delaware; Florida; Washington, D.C. (OK, so its not really a state. Sue me); Hawaii (Probe em, Danno); Illinois; Maine; Maryland; Michigan; Mississippi; Missouri; Montana; Nebraska; Nevada; New Hampshire; New Jersey; New Mexico; North Carolina; North Dakota; Ohio; Oklahoma; Oregon; Pennsylvania (which many years ago proved its insightfulness by grabbing the only “attornegeneral.gov” domain. Everyone else has to add state initials to their domain); South Dakota; Tennessee; Texas; and Vermont.
The Massachusetts case is apparently being run with the help of an all-volunteer executive committee, including representatives from the AG offices from Pennsylvania, Vermont, New Jersey, Arizona, Oregon, Ohio, Florida, Illinois, and California.
Those states participating on the executive committee, one source said, often get a shot at additional money for their states. Thats part of the problem. The states have an incentive to negotiate financial arrangements to get money back to state residents, but little incentive to publicly detail the security procedure lapses that caused the breach to happen and, much more importantly, the disclosure of which might prevent similar ones from happening.
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.