Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity

    Do State Probes Have the Right Priorities?

    Written by

    Evan Schuman
    Published February 8, 2007
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      In the roughly three weeks since $16 billion retail chain TJX announced it had suffered a major data breach, there has been no shortage of people eager to jump on the “beat up the security victim” bandwagon.

      Of course, TJX seems to have gone out of its way to invite abuse, whether by sitting on the news for a month, refusing to pay for those customers who want to check their credit repeatedly, opting to not reveal virtually any details of the breach, and hiring a company with little retail experience and virtually no retail security reputation to investigate the breach.

      But thats only what TJX has done since making the discovery in mid-December. (For the purpose of this argument, I am going to assume that the company—as it announced—didnt discover the breach until mid-December, despite unconfirmed rumors that some company employees knew of it earlier.) The most disturbing elements of this story occurred before December. The breach reportedly happened as early as mid-May 2006 and was only discovered in mid-December.

      This raises lots of questions about the level of security the company had in place at the time, how well it protected confidential customer data (encryption and retention issues) and how it could have been unaware of such large a breach for seven months. The question of how it was finally discovered may shed a little light on that.

      Please dont get me wrong when I say that a lot of groups—from congressional investigators, federal agencies, class-action lawsuit attorneys, banking associations and state attorneys general—have been eager to throw a punch or two.

      The head of the Massachusetts Bankers Association went so far as to question whether TJX is a victim at all. “We think its a little odd that [TJX] would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary,” said MBA President Daniel Forte.

      But of all of those groups, the ones that seem to be taking the lead in independent investigations of this incident are state AGs.

      On Feb. 7, more than 30 of those states said they would support Massachusetts attorney general taking the lead in the probe. But at least one of the states not participating—for the moment—is Rhode Island. Rhode Island had already launched its own probe, and it wants to continue going its own route.

      /zimages/2/28571.gifClick here to read more about Massachusetts leading the TJX data probe.

      The problem is that state-level justice departments often have very different goals. From time to time there are exceptions. New Yorks recently promoted attorney general, Eliot Spitzer (now governor), enjoyed righting wrongs and accomplishing change that the feds should be doing, but usually dont.

      In this case, though, the states in the Massachusetts group seem to be focusing on helping consumers with credit reports and credit repair. Theoretically, the banks will cover the consumers actual losses from fraudulent transactions and identity theft. So consumers only loss is paying to watch their credit and then paying to fix it.

      The hard-dollar cost of the monitoring and the repair is relatively minor (typically less than $50 per consumer and sometimes much less), although if indeed there are millions of consumer victims, even a small per-consumer amount could quickly become nontrivial. The bigger issue is compensating consumers for the many hours it takes—often spent on hold—to repair those credits. The states are looking at the possibility of forcing the retailer to pay for professionals to clean up the credit records on the consumers behalf.

      But the bigger issues, the ones that might actually address the root cause of the breach and make it less likely to be repeated, are often glossed over. In the largest credit card information breach to date—CardSystems, which may yet have to surrender that title to TJX—the company was punished by the market only after a congressional hearing forced all of the details to come out.

      The only way to truly improve retail security is to make the punishment so severe that no retailer would ever dare skimp on protection or be flexible about policy adherence. Retail IT execs are watching the TJX case very closely, as are their bosses.

      If massive retail chain company TJX is seriously bloodied, youre going to start seeing this tidal wave of security purchases from retailers in every segment. If TJX gets away with a slap on the wrist, every CFO who ever pushed back on a security investment request is going to feel vindicated.

      At best, security investments are gambles. Statistically, most sites are not going to get seriously penetrated that often. Of those that are penetrated, most of those incidents will never get disclosed. Of the few that get disclosed, most will get minimal media attention and will quickly go away. Its the tiny percentage that get publicity that is the wild card. The odds are against any retailer falling into that category, but, clearly, some will.

      /zimages/2/28571.gifCan ID theft be solved with more regulation? Click here to read more.

      Does a CFO choose to hit a hard 17, to draw to an inside straight? Professional burglars know that, if they do their job properly, they wont likely get caught. The only deterrence is that if they somehow are caught, the prison sentence is so severe that they wont take the chance.

      Are the states going to focus on what went wrong? Will criminal options—which at least one state is considering—be seriously explored? Will the states make full public disclosure of all that is learned, other than the sanitization of a few details that wouldnt help the public but would help criminals? Will the hard questions about PCI compliance get asked?

      The state AG offices could indeed go that route. But is it likely? Take Massachusetts AG, for example. As of January 2006, TJX employed about 119,000 people, a healthy percentage of them based in Massachusetts.

      The AG office there has a wonderful reputation of prosecuting many state residents and businesses. But in this kind of probe, the state can negotiate payments for consumers and be seen as tough. Why push it and force the retailer to disclose security methods and what they did wrong?

      I hope the states do push the envelope and force full disclosure and make every other retailer tremble in their boots at the prospect of being in the same position. The investigators with Rhode Islands attorney general probe seem open to being quite aggressive. But this would be a role better suited to the feds. Any takers?

      Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].

      To read earlier retail technology opinion columns from Evan Schuman, please click here.

      /zimages/2/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.

      Evan Schuman
      Evan Schuman
      Evan Schuman is the editor of CIOInsight.com's Retail industry center. He has covered retail technology issues since 1988 for Ziff-Davis, CMP Media, IDG, Penton, Lebhar-Friedman, VNU, BusinessWeek, Business 2.0 and United Press International, among others.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×