As the TJX case all but winds itself to a close, it’s not a bad time to look at everything we’ve learned and try and answer the holiday-themed IT security question: Does TJX deserve a lump of coal for the worst data breach in credit card history, affecting some 100 million credit cards?
Regular readers of this column know that I have had a wide range of less-than-flattering things to say about the security setup of The TJX Companies, but there’s a broader question here. TJX is a business. A $16-billion-a-year massive retail chain kind of business. As a publicly held company, it has a fiduciary obligation to do things in a certain way.
If we move away from the question, “Did TJX do everything possible to try and protect consumer data?” (which merits a “What planet are you on? Of course it didn’t,”) and focus on, “Did TJX do what was reasonable and appropriate at the time it did it?” things look a lot different.
The latest news was utterly predictable. TJX’s deal with Visa, in which TJX would give money to certain banks in exchange for promises to not sue, was approved overwhelmingly on Dec. 20. Two days earlier, TJX also worked out similar settlements with most of the banks suing it. In short, only one bank is left suing TJX and that litigation will happen in Alabama state court. The consumer class action lawsuit is essentially settled as well. (The final approval will come from a federal judge who has already said he will approve it.)
The core problem with the TJX cases is that the lawsuits wanted to accuse TJX of something that is not illegal in any state. They wanted to hold the retailer liable for not properly protecting consumer credit card data. But there isn’t anything on the books in any state or the federal government that requires that. Some industry efforts—most notably the PCI DSS (Payment Card Industry’s Data Security Standard)—seek to require it, but those efforts have no muscle, other than the ability to deny a chain the right to accept the cards for payment.
But the persuasive power of any threat is in direct proportion to the likelihood that said threat would ever be carried out. The card brands might exclude some tiny store to make a point, but the amount of lost revenue from excluding a Wal-Mart, a Target or a TJX would make that threat rather non-frightening.
One of TJX’s defenses has been that its security wasn’t materially worse than any other retailer of similar size. Sadly, it’s a true point and one which we made in this column many months before TJX made it.
But that’s not TJX making excuses. When the chief financial officer and CIO of any retailer evaluate technology investments, they look at the issues of return on investment (a big-time Achilles heel for security), risk avoidance (the savior for security) and keeping up with the Joneses. Expenditures will seem prudent as long as the company’s security measures are not dramatically different from those of other similarly sized retailers.
Let’s take a quick look at the lawsuits, because they become relevant here.
Myth #1: TJX was sued because it was breached. Reality: Tons of retailers are breached every week. TJX was sued because word of this breach was announced and—much more importantly—because TJX has deep pockets. Without sounding like a corporate titan apologist, the suggestion that TJX was sued because it has money is really not that far off.
Myth #2: TJX was sued because its security was pathetic. Reality: this myth is a lot closer to the truth, but again, tons of retailers have pathetic security. To honestly evaluate TJX’s decisions requires a lot of context. Had TJX invested a lot more money in beefing up its security, would this breach have necessarily been prevented? How about future breaches? Had the TJX CFO asked that question a few years ago, I think the question would have been, “There’s no way to make any system completely secure, sir, no. We could spend all this money and theoretically still get breached.”
TJX was spending millions on security and its security systems—although weak—do not appear to be that much worse than others in that space.
The lawsuit issue is an interesting one. What if TJX had approved all of those security upgrades and still gotten breached? Even better, what if it had spent an extra $100 million and made its systems quite secure—much more so than similarly sized rivals—and avoided a breach? Now what if its profits plunged? Could not stockholders have sued the company for having spent money recklessly and needlessly? How many advertising campaigns and CRM (customer relationship management) programs and Web site upgrades would have been delayed because that money had been put into security?
I’m not saying that TJX was blameless. (I’m still waiting for an explanation of how intrusions continued to happen for multiple years before they were detected.) But I am pointing out that security investments are among the most difficult decisions and we need to be careful before criticizing those decisions.
A small window into the thinking of TJX came out in court filings that quoted TJX CIO Paul Butka’s e-mails. They revealed a thoughtful internal debate about wireless security upgrades, in which cost was indeed a consideration, as it needed to be, and there was an intent to eventually make the upgrades.
That said, ’tis time to make that Santa Coal recommendation.
I’d say yes to coal for most of the major retailers for dropping the ball on security. Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). But to TJX? I’d give it a pass.
TJX theorized—correctly—that any breach wouldn’t cause any impact on sales, as consumers (protected by the card brands’ zero-liability deals) would stand by it. With that regrettable fact out there, it would have been extremely difficult for TJX to have justified spending much more than it did.
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesn’t plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.