As I look back at the 10 months of this soap opera known as the TJX data breach—the biggest ever, in case someone forgot—I keep being reminded of a wonderful piece of dialogue in the 1990s TV show “The West Wing.”
One of the characters—a White House deputy communications director named Sam Seaborn—was arguing with another character when she told him, “Dont play dumb with me.” He replied: “Im not playing dumb. I really am dumb. Most of the time, Im playing smart.”
The TV joke was that this character truly was smart and was playing dumb beneath playing smart. (Shades of “Victor/Victoria,” but lets not go there.) This brings us back to TJX.
Before the breach, TJX was seen as a very smart, very well-positioned $17 billion retailer, sitting atop an especially attractive North American retail niche.
But since the breach—where the credit card data of some 46 million consumers fell into unauthorized hands—the company seemed to have made PR blunder after blunder. And yet, its financial health could hardly be better. Revenue and every key metric have improved since the breachs announcement, and the negotiated settlement with consumers suing TJX is likely to be approved, and its extremely favorable to TJX.
When TJX learned of the breach in mid-December and kept silent until mid-January—when it was able to finish its wireless security upgrade—that now seems clever. When it announced that ultra-favorable initial version of the settlement late on a Friday night (after sundown on the eve of Yom Kippur), it even caught the judge unaware. Another coincidence, or was the company really trying to bury the news?
When a large number of customers drivers license data was grabbed in the heist, TJX asked its consumers to get their state motor vehicle departments to put a watch on their licenses. That was a move that would do relatively little to protect the consumer (the critical data—name, home address, sometimes Social Security number, photo, physical description, signature, etc.—would be gone for good and is very difficult to change), but it did have the potential for causing problems for those same consumers. If theyre pulled over for a faulty taillight, they will almost certainly be held by authorities to verify their identity.
Recently, in making court arguments for the settlement, which calls for TJX giving out in-store vouchers, attorneys said the vouchers could be sold on eBay and converted into cash that way.
The judge overseeing the case did not like that suggestion: “Too hard for me. These are consumers. People know how to cash checks. Saying Go to eBay and negotiate it wont cut it.”
But the judge wasnt alone. The comment drove several retail security experts crazy. They have been campaigning aggressively to stop retail vouchers from being fraudulently sold on auction sites such as eBay. To have TJX explicitly encourage that, some have said, is mind-boggling.
For the record, the TJX legal fallout from the breach isnt over. The consumer settlement still needs to be approved, but that now seems quite likely. A class-action lawsuit against TJX by quite a few banks and other financial institutions is slated for arguments the week of Oct. 15.
A House of Representatives effort to hold hearings has been repeatedly postponed, but if those hearings do happen, there could be federal legislation behind to criminalize weak security when protecting consumer information. And the group of state attorneys general has yet to release its report, and that may have an impact on TJX, although its not likely.
Has TJXs persistent silence on key details about the breach been based on shrewd legal acumen or the retail marketing reality that “sticks and stones may break my bones, but consumers couldnt care less about data security”?
TJX officials knew going into this case that they had the much stronger legal position because no consumers lost meaningful dollars. With the exception of the bank lawsuit, TJX hasnt had any reason to answer nosey security questions.
As for the drivers license and eBay comments, apathy begets apathy.
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.