In the roughly three weeks since $16 billion retail chain TJX announced it had suffered a major data breach, there has been no shortage of people eager to jump on the “beat up the security victim” bandwagon.
Of course, TJX seems to have gone out of its way to invite abuse, whether by sitting on the news for a month, refusing to pay for those customers who want to check their credit repeatedly, opting to not reveal virtually any details of the breach, and hiring a company with little retail experience and virtually no retail security reputation to investigate the breach.
But thats only what TJX has done since making the discovery in mid-December. (For the purpose of this argument, I am going to assume that the company—as it announced—didnt discover the breach until mid-December, despite unconfirmed rumors that some company employees knew of it earlier.) The most disturbing elements of this story occurred before December. The breach reportedly happened as early as mid-May 2006 and was only discovered in mid-December.
This raises lots of questions about the level of security the company had in place at the time, how well it protected confidential customer data (encryption and retention issues) and how it could have been unaware of such large a breach for seven months. The question of how it was finally discovered may shed a little light on that.
Please dont get me wrong when I say that a lot of groups—from congressional investigators, federal agencies, class-action lawsuit attorneys, banking associations and state attorneys general—have been eager to throw a punch or two.
The head of the Massachusetts Bankers Association went so far as to question whether TJX is a victim at all. “We think its a little odd that [TJX] would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary,” said MBA President Daniel Forte.
But of all of those groups, the ones that seem to be taking the lead in independent investigations of this incident are state AGs.
On Feb. 7, more than 30 of those states said they would support Massachusetts attorney general taking the lead in the probe. But at least one of the states not participating—for the moment—is Rhode Island. Rhode Island had already launched its own probe, and it wants to continue going its own route.
The problem is that state-level justice departments often have very different goals. From time to time there are exceptions. New Yorks recently promoted attorney general, Eliot Spitzer (now governor), enjoyed righting wrongs and accomplishing change that the feds should be doing, but usually dont.
In this case, though, the states in the Massachusetts group seem to be focusing on helping consumers with credit reports and credit repair. Theoretically, the banks will cover the consumers actual losses from fraudulent transactions and identity theft. So consumers only loss is paying to watch their credit and then paying to fix it.
The hard-dollar cost of the monitoring and the repair is relatively minor (typically less than $50 per consumer and sometimes much less), although if indeed there are millions of consumer victims, even a small per-consumer amount could quickly become nontrivial. The bigger issue is compensating consumers for the many hours it takes—often spent on hold—to repair those credits. The states are looking at the possibility of forcing the retailer to pay for professionals to clean up the credit records on the consumers behalf.
But the bigger issues, the ones that might actually address the root cause of the breach and make it less likely to be repeated, are often glossed over. In the largest credit card information breach to date—CardSystems, which may yet have to surrender that title to TJX—the company was punished by the market only after a congressional hearing forced all of the details to come out.
The only way to truly improve retail security is to make the punishment so severe that no retailer would ever dare skimp on protection or be flexible about policy adherence. Retail IT execs are watching the TJX case very closely, as are their bosses.
If massive retail chain company TJX is seriously bloodied, youre going to start seeing this tidal wave of security purchases from retailers in every segment. If TJX gets away with a slap on the wrist, every CFO who ever pushed back on a security investment request is going to feel vindicated.
At best, security investments are gambles. Statistically, most sites are not going to get seriously penetrated that often. Of those that are penetrated, most of those incidents will never get disclosed. Of the few that get disclosed, most will get minimal media attention and will quickly go away. Its the tiny percentage that get publicity that is the wild card. The odds are against any retailer falling into that category, but, clearly, some will.
Does a CFO choose to hit a hard 17, to draw to an inside straight? Professional burglars know that, if they do their job properly, they wont likely get caught. The only deterrence is that if they somehow are caught, the prison sentence is so severe that they wont take the chance.
Are the states going to focus on what went wrong? Will criminal options—which at least one state is considering—be seriously explored? Will the states make full public disclosure of all that is learned, other than the sanitization of a few details that wouldnt help the public but would help criminals? Will the hard questions about PCI compliance get asked?
The state AG offices could indeed go that route. But is it likely? Take Massachusetts AG, for example. As of January 2006, TJX employed about 119,000 people, a healthy percentage of them based in Massachusetts.
The AG office there has a wonderful reputation of prosecuting many state residents and businesses. But in this kind of probe, the state can negotiate payments for consumers and be seen as tough. Why push it and force the retailer to disclose security methods and what they did wrong?
I hope the states do push the envelope and force full disclosure and make every other retailer tremble in their boots at the prospect of being in the same position. The investigators with Rhode Islands attorney general probe seem open to being quite aggressive. But this would be a role better suited to the feds. Any takers?
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.