Do State Data Probes Have The Right Priorities?

Written by Evan Schuman
February 8th, 2007

In the roughly three weeks since $16 billion retail chain TJX announced it had suffered a major data breach, there has been no shortage of people eager to jump on the “beat up the security victim” bandwagon.

Of course, TJX seems to have gone out of its way to invite abuse, whether by sitting on the news for a month, refusing to pay for their customers who want to check their credit repeatedly, opting to not reveal virtually any details of the breach and hiring a company with little retail experience and virtually no retail security reputation to investigate the breach.

But that’s only what TJX has done since making the discovery in mid-December. (For the purpose of this argument, I am going to assume that the company?as it’s announced?didn’t discover the breach until mid-December, despite unconfirmed rumors that some company employees knew of it earlier.) The most disturbing elements of this story occurred before December. The breach (we won’t say breakin because it might have been an IT employee doing this internally, for all of the incident details TJX has released) reportedly happened as early as mid-May 2006 and was only discovered in mid-December. This raises lots of questions about the level of security the company had in place at the time, how well it protected confidential customer data (encryption and retention issues) and how could it have possibly been unaware of this large a breach for seven months. The question of how it was finally discovered may shed a little light on that.

So please don’t get me wrong when I say that a lot of groups?from congressional investigators, federal agencies, class-action lawsuit attorneys, banking associations and state attorney generals?have been eager to throw a punch or two.

The head of the Massachusetts Bankers Association went so far as question whether TJX is a victim at all. ?We think it?s a little odd that (TJX) would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary,? said MBA President Daniel Forte.

But of all of those groups, the ones that seem to be taking the lead in independent investigation of this incident are state attorney generals. (Note to readers and to the copydesk: Many years ago, I had a city desk editor drum into me that the correct plural form of “attorney general” is “attorneys general.” This is one of these times where I think “grammatical correctness” needs to be trumped by “it sounds too weird.”)

On Wednesday, more than 30 of those states said they would support Massachusetts’ attorney general taking the lead in the probe. But at least one of the states not participating?for the moment?is Rhode Island. Rhode Island had already launched its own probe and it wants to continue going its own route.

The problem is that state-level justice departments often have very different goals. From time to time, there are exceptions. New York’s recently-promoted attorney general, Eliot Spitzer (now governor), enjoyed righting wrongs and accomplishing change that the feds should be doing, but usually don’t.

In this case, though, the states in the Massachusetts group seem to be focusing on helping consumers with credit reports and credit repair. Theoretically, the banks will cover the consumers’ actual losses from fraudulent transactions and identity theft. So their only loss is paying to watch their credit and then paying to fix it.

The hard-dollar cost of the monitoring and the repair is relatively minor (typically less than $50 per consumer and sometimes much less), although if indeed there are millions of consumer victims, even a small per-consumer amount could quickly become non-trivial. The bigger issue is compensating consumers for the many hours it takes?often spent on hold?to repair those credits. The states are looking at the possibility of forcing the retailer to pay for professionals to clean up the credit records on the consumers’ behalf.

But the bigger issues, the ones that might actually address the root cause and make it less likely to repeat, are often glossed over. In the largest credit-card information breach to date?CardSystems, which may yet have to surrender that title to TJX?the company was punished by the market only after a congressional hearing forced all of the details to come out.

The only way to truly improve retail security is to make the punishment so severe that no retailer would ever dare skimp on protection or be flexible about policy-adherence. Retail IT execs are watching the TJX case very closely as are their bosses.

If massive retail chain company TJX is seriously bloodied, you’re going to start seeing this tidal wave of security purchases from retailers in every segment. If TJX gets away with a slap on the wrist, every CFO who ever pushed back on a security investment request is going to feel vindicated.

At best, security investments are gambles. Statistically, most sites are not going to get seriously penetrated that often. Of those that are penetrated, most of those incidents will never get disclosed. Of the few that get disclosed, most will get minimal media attention and will quickly go away. It’s the tiny percentage that get publicity that is the wildcard. The odds are against any retailer falling into that category, but, clearly, some will.

Does a CFO choose to hit a hard 17, to draw to an inside straight? Professional burglars know that, if they do their job properly, they won’t likely get caught. The only deterrence is that if they somehow are caught, the prison sentence is so severe that they won’t take the chance.

Are the states going to focus on what went wrong? Will criminal options?which at least one state is considering?be seriously explored? Will the states make full public disclosure of all that is learned, other than the sanitization of a few details that wouldn’t help the public but would help criminals? Will the hard questions about PCI compliance get asked?

The state AG offices could indeed go that route. But is it likely? Take Massachusetts AG, for example. As of January 2006, TJX employed about 119,000 people, a healthy percentage of them based in Massachusetts.

The AG office there has a wonderful reputation of prosecuting many state residents and businesses. But in this kind of probe, the state can negotiate payments for consumers and be seen as tough. Why push it and force the retailer to disclose security methods and what they did wrong?

I hope the states do push the envelope and force full disclosure and make every other retailer tremble in their boots at the prospect of being in the same position. The investigators with Rhode Island’s attorney general probe seem open to being quite aggressive. But this would be a role better suited to the feds. Any takers?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.