This is page 2 of:
JCPenney, Wet Seal: The Arguments For Keeping Gonzalez Mystery Merchants Secret
The judge sought to clarify the background. “That may be so. That is certainly something the Government would have to consider. But here I do not think it was a matter of Company A and Company B coming forward. This was a matter of Company A and Company B being identified as entities whose computer systems were breached,” the judge said. “So, we need not, I think, worry about how stouthearted corporations are going to be about coming forward. And the government has to make that calculation all the time in dealing with potential cooperators. I do have some considerable difficulty shedding a tear for a corporation.”
JCPenney’s counsel said the situation would have been different had the chain known from the beginning that secrecy wasn’t going to be maintained. The judge retorted: “So they could have taken steps to avoid and impede the government’s investigation?”
“No, but they could have certainly taken steps to make public disclosure on their own terms in their own way so that,” Ricciuti said, “to the extent there was going to be any public disclosure, they could at least alert the shareholding public who might be alarmed and concerned that there is not cause for alarm.”
The court was not mollified. “They have had three years to alert their shareholding public about problems with their security. They have chosen not to, relying, improvidently, on a protective order,” Judge Woodlock said. “But, frankly, I guess it is their choice, and they made it. Now it is my choice to deal with whether or not there should be disclosure of such an entity, and I cannot say that I have found this [argument] compelling at this point.”
Ricciuti then made the quintessential corporate argument. “The shareholders, the pension plans, the folks that own the stocks of these companies now will pay a price for the company relying on the Government,” he said.
“What do you mean ‘pay a price’? That the stock will go down?” asked the judge. “I guess, then, it is the choices they made about how transparent they were with their shareholders, with the market, generally, about their exposure. Others of these entities made disclosure fairly promptly about it.”
Added his Honor: “Does it make any sense, under these circumstances, to keep from disclosure the identity of a corporation which has had its information technology systems breached, another way of saying that they were vulnerable to breach? Some corporations get special privileges. They get not to be identified.”
At one point in the back-and-forth, JCPenney’s attorney said that he had agreed with an Assistant U.S. Attorney on one issue that the judge saw differently.
“Well, that makes two of you, then,” shot back the judge, before reminding him who was in charge. “But there is a third: the Court. It is a little bit like Lincoln’s Cabinet. When they took votes, Lincoln would ask and the vote would come back five to one, with Lincoln being the one. And he would say, ‘Five to one. The ones have it.'”
After he ordered the names to be unsealed, Woodlock cited from a favorite poem. “The Oklahoma Ligno and Lithograph Company weeps at a nude by Michelangelo,” the judge read to those attending the hearing. “It is so absurd to suggest that there is this anthropomorphic quality to corporations and that they are entitled to some special benefits as to leave it open to spoof by poets.”
Back in November, another attorney for JCPenney asked the judge to protect the company’s “dignity, “ phrasing that might have set his Honor off.
The government’s case had been beforehand, in written memos. “In the case of computer attacks such as the one charged here, the argument for this is undeniably strongest when people’s credit or debit card numbers are known, with certainty, to have been stolen from a corporation,” said Assistant U.S. Attorney Stephen Heymann. “However, it is only marginally less so when people’s credit or debit card numbers are put at risk by the failure of a corporation’s protective system. When a fraud or Internet attack has compromised a corporation’s security system and potentially put customers’ credit or debit card numbers at risk, it is far fairer for their customers to evaluate that risk on a fair presentation of the facts than for the corporation, alone, to be told of the intrusion by the government.”
Added Heymann: “Most people want to know when their credit or debit card numbers have been put at risk, not simply, if and after they have clearly been stolen. Knowing that card holders will be concerned that their credit or debit information has been put at risk, if they know it, provides an incentive to companies to invest in the protections their customers want. Transparency makes the market work in this area.”
-Marc
March 26th, 2010 at 11:16 pm
It’s about time the information was made public. Kudos to Judge Woodlock.
April 1st, 2010 at 9:13 am
This sounds like salvos in a war between the elected government and the corporate government that really rules this country.
April 1st, 2010 at 9:18 am
I cannot believe how arrogant JC Penney was!
April 1st, 2010 at 10:00 am
Yeah it’s public and likely known about to those in a IT security profession, but already forgotten about in the main public arena. Not to mention I’m willing to bet that new information like this will be overlooked by the media and won’t be considered a headline. Prove me wrong though and you’ll make me smile.
April 1st, 2010 at 3:41 pm
What an odd little poem – “Oklahoma ligno and lithograph” – I’m impressed the judge pulled that one out.