Evan Schuman's StorefrontBacktalk

J.C.Penney this week became the latest retail chain to serve as poster child for improper retail procedures, which almost all other retailers have done for years. TJX was—and is—the poster child for weak security, when what it was doing wasn’t materially different than what plenty of other similarly sized chains did. American Eagle Outfitters is the whipping boy for weak backup procedures. J.C.Penney is now the SEO monster.

What all three chains had in common: They were following industry norms, and they were the first big player to get caught doing it.

J.C.Penney’s turn came this week, when it was in the news because The New York Times did a piece about its gaming Google, to ace out other chains during the holiday season’s E-Commerce battle. The techniques Penney’s used were considered to have violated ethical search engine rules. The chain blamed its SEO firm and fired that company.

It’s true that the techniques used (involving a huge number of link-exchanges with sites that were ludicrously irrelevant) were naughty, in the SEO world. The real issue, though, is that J.C.Penney outsourced its responsibility. But J.C.Penney is an $18 billion retail chain. If anything can be outsourced to a contractor with minimal supervision or micromanagement, shouldn’t it be SEO?

Yes, what the firm did was naughty. But it certainly seems plausible that no one in J.C.Penney management—or even a rank-and-file J.C.Penney salaried staffer—had any knowledge of it. When a chain hires a real estate firm to search for locations, is there a need to spot-check that the realtor is evaluating all possible locations? At what point can a firm be trusted to do what it’s supposed to do?

Retail execs must focus and closely oversee many strategic areas, but SEO efforts? It’s an honest question for any retail IT execs reading this. A show of hands, please: How many of you have assigned staffers to review exactly what your SEO consultant was doing? Not just that they were delivering results, but checking on their exact procedures for doing so? Had you found that one of your team was spending a lot of hours doing that, would you have been pleased?

Everyone will be doing that checking now, but it’s because J.C.Penney got caught. This is similar to what American Eagle Outfitters experienced last summer. Its site was down—ranging from complete crash to various levels of the site being crippled—for eight days. Much of the cause was a backup system—managed by IBM and Oracle—that didn’t have functional backups, because no one had bothered to check.

Bad? Sure. Did most chains of American Eagle’s size get into the weeds to the point of physically verifying that the people who are being paid handsomely to run back ups are actually doing so? It’s the same issue with J.C.Penney. A business has to trust contractors at some level or it can’t function. American Eagle became the poster child for lax backup verifications, even though it was doing what just about every other retail chain was also doing. The difference? Penney’s got caught.

And what about TJX? Mention TJX to a group of retail IT execs and it’s shorthand for weak retail security. They chain was indeed the site of the largest retail data breach ever and—even worse—subsequent investigations did demonstrate a wide range of lax security procedures.

Here again, were TJX’s data security mechanisms back in 2005 materially worse than most other multibillion-dollar retail chains? The industry’s dirty secret is that, for the most part, no, they weren’t. But TJX got caught, and it was the wakeup call for the rest of retail to clean up its security act.

This isn’t anything that retail has exclusively. There’s still something unfair about being castigated for doing what all of your rivals are also doing. Then again, that’s what “getting caught” is all about. J.C.Penney, you have our sympathies, but you drew the short straw. Welcome to the Retail Poster Child club for naughty procedures.