This is page 2 of:
TJX Settlement. More Proof That Security Investment Is Really Hard To Justify
Punitive would generally mean covering all legal costs plus reimbursing the banks for all out-of-pocket costs and then paying them something to compensate them for the pain of the litigation.
The payment specifically excluded legal fees. According to the statement TJX issued, the settlement didn’t even cover all of the banks’ out-of-pocket expenses let alone offer anything for their efforts. Oh and it also allowed TJX to say that it “has denied all wrongdoing.” The amount was enough that it was already covered in a reserve that TJX took back in the second fiscal quarter of 2007.
TJX has every right to vigorously defend itself and this is a good example of TJX skillfully working the environment it’s in. But if retailers are going to be able to justify to their boards meaningful security investments, that environment must change. It certainly doesn’t look like zero liability programs are going anywhere, even though that single gesture would likely be the most effective at enabling meaningful security investments.
The state laws enacted thus far—and some weak attempts at federal legislation–aren’t going to help. We need laws-civil and criminal that make the risk of being breached while deploying inadequate security so incredibly painful that no board would risk it.
Retailers are businesses and they can’t justify investments without the numbers. It’s up to society to provide that. Why does McDonald’s take tainted meat reports so seriously? I think we can scratch off “fear of the mighty FDA” off the list. It’s their fear of devastating lawsuits and consumers immediately and overwhelmingly abandoning their stores.
But with retailers and data security, it’s a different story. Zero liability prevents financial losses—thus halting effective civil lawsuits—and, also because of zero liability, consumers have not left TJX or Hannaford or any other breached retailer.
In the criminal cases against the cyberthieves accused of breaking into those chains, among the retailers effortlessly breached—due to weak security, according to the government—were TJX, Hannaford, 7-Eleven, BJ’s Wholesale Club, Boston Market, Sports Authority, Dave & Buster’s, Target, J.C. Penney, Office Max, Barnes & Noble, Sports Authority, Forever 21 and DSW. And there is at least one additional major national chain that has yet to be identified. Is anyone seeing any of those losing customers as a result of them being identified as having weak security? Not at all.
Unless the retail industry is prepared to accept these kinds of breaches as the norm—and there many indications that just that kind of acceptance is happening—changes are needed.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
