Evan Schuman's StorefrontBacktalk

In those same federal sentencing guidelines, TJX’s filing said, “in cases involving stolen credit or debit cards, loss is quantified as a minimum of $500 per stolen payment card.” It added that its SEC filings “reported that data relating to at least 11.2 million unexpired payment cards were stolen during the intrusion. Defendant has not questioned this number. Applying the $500 per card minimum to these cards alone would yield a loss well above the $400 million threshold. The court could also apply the minimum $500 per card to the more than one million cards the Defendant stole from retailer DSW alone—thus ignoring both TJX’s claimed loss and any calculation based on payment card data from TJX—and still be well above the $400 million threshold.”

But the lawyers have many guidelines for sentencing. The law says the court should define “loss” as “the greatest of actual loss or intended loss.” The government cited a recent appellate court decision as offering yet a third metric: “The First Circuit has held that, in the case of stolen credit cards, intended loss reasonably may be found to be the stolen payment cards’ aggregate credit limit, since it is natural and probable to expect that purchasers of the stolen card numbers will charge as much as possible to them. It is also reasonable to hold a defendant accountable for the amount of loss as measured by the aggregate credit limit, even though the defendant’s personal profit has been dramatically less.”

Defense counselor Martin Weinberg disagreed. He pointed out that “the government’s discussion omits the fact that tens of millions of the accounts had expired and would therefore no longer have had credit limits at all.” He added that “the $500 per access device equation from which this figure is derived is completely arbitrary and lacking in any empirical validation” and that it was “irrational.”

Weinberg pointed out that, with TJX, “of the 36 million card numbers obtained from TJX, at least 25 million–approximately 70 percent–were expired and therefore unusable.” He also cited from a federal probation department pre-sentence report about the Dave & Buster’s breach.

“Defendants obtained account information for approximately 110,630 debit and credit card accounts through the Dave & Buster’s intrusion. However, it further states that defendants obtained account information for 5,132 accounts from a particular Dave & Buster’s restaurant but used only 675–approximately 13 percent,” Weinberg wrote. “Using the arbitrary $500 per card figure, the Dave & Buster’s loss would be $55.315 million but, in reality, the losses to Dave & Buster’s and affected financial institutions was, according to the [pre-sentence report], only approximately $1.32 million. Thus, the loss produced [in the government report] is 42 times the actual loss.”

The argument Weinberg makes is, in essence, that the government can’t take a large number of retail victims to get to a huge number of intercepted cards and then not bother proving that any of the specific claims holds up to close scrutiny.

“Despite having had access or potential access for several years to the foreign servers, to the affected corporations’ own internal investigations, and to records from Visa, MasterCard, and American Express, as well as possession of [accomplices’] computers and of records which would distinguish between losses attributable to the corporate response to the intrusion and losses attributable to use of the stolen data, the government has never quantified the amount of stolen data which was actually used to unlawfully obtain money from ATM machines, retailers, banks, or other sources to which the data was linked. Critically, despite the government’s possession of [accomplices’] computers, the government has adduced no evidence regarding the extent to which stolen data was ever used to an individual cardholder’s detriment, as opposed to simply remaining on the server.”