September 25, 2007
TJX Settlement Shows Why Compliance Isn't Taken Seriously
At the beginning of the year, the TJX data breach was making
headlines. People were incensed about the massive amount of data lost
(46 million individual records) and the length of time that had
elapsed since the initial breach (upwards of three years).
Legislatures at all levels of government moved to enact laws on a
similar scale to PCI to ensure the cardholder data of their
constituents was protected (it is an election year coming up after
all). Banks and consumers lined up to take TJX to court. Surely, they
were destined to be the poster child for taking security and
compliance seriously.
Until a week ago Friday, when TJX settled all of its consumer lawsuits.
Here is a commentary on the settlement from Evan Schuman's
StorefrontBacktalk post of September 22nd:
TJX has settled all of the consumer lawsuits resulting from the
breach by paying $6.5 million in attorney fees and offering consumers
some programs aimed at compensating those directly impacted.
The details from the full text of the 44-page TJX settlement filing
show the $17 billion retailer's attempts to address consumer
injuries. But given the huge scale of this breach, the compensation
to any one consumer is likely to be minimal.
TJX has agreed to compensate consumers for any time they lost "as a
result of the intrusion," but those calculations will assume a rate
of $10/hour.
The compensation also seems to be limited to $60 and will be in the
form of $30 vouchers for making purchases at TJX only. Further, if a
lot of consumers agree and "the total of such claims exceeds $7
million, the dollar amount of each voucher will be proportionately
reduced."
As Schuman commented with considerable skepticism in a companion
post, "Let's me see if I understand this correctly. Due to apparently
recklessly weak security procedures, consumers that you invited into
your stores had their credit card information and identities taken,
all because they chose to buy your merchandise. How to make amends?
Invite them back to bring their new credit card and buy more stuff,
with a 15 percent discount."
Who was negotiating this settlement for the consumers? A major
shareholder in TJX? Consumers are partly to blame for all of this
too. You'd think with such a heavily-publicized breach of personal
information that people would be going out of their way to avoid
shopping at TJX properties like TJ Maxx and Marshall's. Nope. TJX is
actually enjoying a healthy 8% increase in revenue over 2006
according to industry reports. Can you imagine? With this settlement,
TJX could actually achieve even higher revenue numbers. Corporate
executives could be in line for performance bonuses...and the breach
could have helped to get them there!
It's no wonder so many companies are slow to take compliance
initiatives around information security seriously.
Contributed by Mark Tordoff
http://www.ecorablog.com/the_compliance_and_securi/2007/09/tjx-
settlement-.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
